Iptables to filter traffic exchanged within the same wireless LAN

6

0

This may seem as a stupid question to you but I need to be sure that what I am thinking is correct. I'm using a usb-wireless adapter (connected to my laptop), dnsmasq and hostapd to create a local wireless network. It is working and I can have more devices connected and ping one another. Now I would like to block the ping within hosts in this wireless LAN. I tried to use iptables on the laptop in which the usb wireless adapter is plugged in but it's not working, this is my command:

iptables -A FORWARD -p icmp -j DROP

But I can still ping. So what I think is that being the two hosts in the same wireless LAN I cannot use iptables because to send the frame the layer 3 headers are not utilized, my hotspot running on the wireless adapter is just using the 802.11 addresses fields to route the packet (L2 headers). Is it correct? Thank you

mik1904

Posted 2017-04-11T16:00:06.613

Reputation: 63

1what is the output of cat /proc/sys/net/bridge/bridge-nf-call-iptables ? – user4556274 – 2017-04-11T16:40:12.787

@user4556274 I have no entries for that. But I don't have a bridge. I have an access point setted up using this guide https://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/

– mik1904 – 2017-04-11T17:10:23.497

1what's the output of service iptables status? – Zina – 2017-04-11T17:17:27.370

Answers

3

First set this in the hostpad config file:

ap_isolate=1

Also: disable_dgaf=1

Please read the config file for further details.

You may need this also:

iptables -A INPUT -p icmp -j DROP

It is even better idea to specify the name of the ethernet adapter so it doesn't affect the loopback adapter or any other adapters you may have.

iptables -A INPUT -i eth0 -p icmp -j DROP

For further reading:

https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

cybernard

Posted 2017-04-11T16:00:06.613

Reputation: 11 200

Why should I use the INPUT chain, if the packet is not destined to the AP it comes in the AP and it goes through the PREROUTING and FORWARD chain not the INPUT one. Or am I wrong? – mik1904 – 2017-04-20T12:54:49.730

mik1904: depends by setting of AP - some problems can be a wan setting hardware's . cybernard: Enable or disable Downstream Group-Address Forwarding. = hs-dgaf - use the hs-dgaf command from the hotspot context to configure hotspot downstream group addressed forwarding. This option is disabled by default. When DGAF is disabled, the AP is not forwarding downstream groupaddressed frames. – Cătălin George Feștilă – 2017-04-25T16:41:00.840

-4

You should be able to use iptables, as you are host.

If not, you may need another Wireless Interface Card, and some are below $20!

Python

Posted 2017-04-11T16:00:06.613

Reputation: 23

Can you please improve your answer and explain it better? – mik1904 – 2017-04-19T10:11:41.527

I down voted you because clearly this is NOT a hardware issue. – cybernard – 2017-04-19T13:23:03.573

Asked: 2017-04-11T16:00:06.613

Viewed: 291 times

Active: 2017-04-19T13:44:37.453