I followed this tutorial (http://elinux.org/RPI-Wireless-Hotspot) for an Wifi Hotspot in the guesthouse. This is working fine, but every device on the WiFi network can reach any LAN device in the LAN and vice versa. I don't want this (or at least block ARP spoofing) because there is some sensitive HTTP traffic (I can't use SSL).
Which iptables rules are needed to restrict the WiFi to only be used for "the internet"? I do login with SSH on the Rpi from the LAN.
After some debugging I found my problem It wasn't the firewall rules but the fact that the DHCP server for my LAN wasn't working (and thus creating an very strange scenario).
These are the rules I used (i flushed all previous iptables rules from the tutorial):
sudo iptables -P FORWARD DROP
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i wlan0 -o eth0 -d 192.168.2.0/24 -j DROP
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wlan0 -d 192.168.2.0/24 -j DROP
sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
And this results in:
Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
0 0 DROP all -- wlan0 eth0 anywhere 192.168.2.0/24 192 11645 ACCEPT all -- wlan0 eth0 anywhere anywhere
0 0 DROP all -- eth0 wlan0 anywhere 192.168.2.0/24
9 6286 ACCEPT all -- eth0 wlan0 anywhere anywhere
What happens here, is that i refuse any traffic from my LAN (192.168.2.x) from going to the WLAN and vice versa. If the packets comply to this rule, I use NAT to transfer them to the gateway of the LAN and onto the internet.