How do I firewall a machine against the local (wireless) network while still allowing the machine to route internet traffic?

I have a shared DSL connection, and I know that some of the users constantly get their computers infected, so I worry about network security. My computer is the only one wired to the modem (which is also the wireless AP) by an Ethernet cable (eth0 interface), every other user is wireless connected (wlan0 interface).

What measures should I take in order to isolate or protect my computer? I know that if one is connected to the wireless network one can intercept and read the packages that are being sent using software such as Wireshark and ettercap, so how could I avoid the reading of the packages I send, or, if that's not possible, what other precautions should I take?

I'm not looking for answers like "you shouldn't share your network with them in the first place", since this is the case both at home (with my roommates) and at work (so I can't do much about it).

Some settings that might be relevant:

On/Auto

NAT
LAN to LAN (intra LAN) multicast
WMM(Wi-Fi Multimedia)
WMM APSD
Client Isolation

Off

Wireless Multicast Forwarding
Support 802.11n Client Only
OBSS Co-Existance
WMM No Acknowledgement
WPS
IGMP Snooping
QoS (quality of service)
LAN side firewall

Other

Network Authentication - mixed wpa2/wpa - psk   
WPA/WAPI Encryption tkip+aes
DHCP slots match the number of clients

Enabling the LAN side firewall made me lose internet connection so I don't want to mess things up anymore - I'm no network expert.

Interface grouping:

Group Name | WAN Interface | LAN Interfaces
Default    | ppp0          | eth3
           |               | eth2
           |               | eth1
           |               | eth0
           |               | wlan0

LAN statistics show only eth0 and wl0 are transmitting/receiving data.

My operating system is Debian 6.0.7 (squeeze)

Alex

Posted 2013-02-26T01:27:59.740

Reputation: 1 619

If you are connected to the Internet, you are at risk. – vonbrand – 2013-02-26T01:45:11.057

Please explain what you mean by "isolated". The whole point of a network, and the internet, is to establish a potential connection with every computer on the planet. – kreemoweet – 2013-02-26T04:15:01.150

What is your modem? – harrymc – 2013-03-18T06:34:38.750

Opticom communications dslink 485, their page on the product link there's a datasheet with hardware specifications on the link.

– Alex – 2013-03-18T06:43:05.550

Are you trying to isolate your system from your roommates, or are you more concerned about isolating it from the outside world? – ernie – 2013-03-21T21:53:54.640

Answers

From what you have written, You are currently on the same network as your friends - although it appears the infections they are not currently trying to further infect you (since only eth0 and wl0 are transmitting/receiving data).

If my understanding of it is correct, client isolation may help a bit, but probably won't.

The real solution is to ensure you run a firewall on your PC, or if you prefer get a second router and connect the main router to your router and then your PC to your router. This is not a "great solution" because of "double nat" issues, but it will give you a much better measure of protection and isolation from their network.

davidgo

Posted 2013-02-26T01:27:59.740

Reputation: 49 152

I wouldn't be too sure about Debian have default firewall rules in place. I think you need to add a package to get some. There are several. arno-iptables-firewall might be a good place to start – infixed – 2016-03-15T10:57:30.490

Alright, but is my computer at risk because of theirs? Isn't there a way to isolate the computer connected to the eth0 interface from the others only by the router page - I mean, not having to buy a new physical router or having to download third-party software? Thanks anyway. – Alex – 2013-02-26T01:56:56.497

Can't answer you about 3rd party software as I'm a linux user (Firewalling is standard on Linux). I'm guessing if you use the security built into Windows and choose "Public Network" rather then "Home Network" for your network configuration you should be reasonably protected, but not as well as if you have a firewall. If your router supports DD-WRT or similar, you could reconfigure it so your WIFI is partitioned separately to your Ethernet interface, but I'd imagine this is not trivial. (I've done it with OpenWRT at the command line, and that IS hard) – davidgo – 2013-02-26T04:08:00.067

I know it's been a time since this answer but it was the best I could do so far. I set up clients isolation and am using Debian as main OS now - for other reasons too, and am loving it I might say. I tried capturing the packages being sent from my computer (wired) with Wireshark on another computer (in wl0) and had no success, so I guess I'm somehow isolated. Is there anything you'd recommend me to configure on Debian to get more security - in terms of networking? Iptables something like that? I have all as it was out-of-the-box. – Alex – 2013-03-20T13:43:18.627

IPTables is always a good idea. I'd imagine that Debian will come with a default set of rules which should protect you (type iptables -vnL to see if it has default rules). I'd suggest that is probably adequate, but you can always go overboard and start running things like fail2ban, checking /var/log for suspicious activity and setting up an IDS (intrusion detection system - like SNORT). Realistically though, if you are paranoid look at full disk encyption, as that becomes a more likely threat. Well done, btw. – davidgo – 2013-03-20T19:14:39.457

I would suggest getting a router that has a Guest network, distinct from the main WiFi network.

That will allow to fracture the wireless network into two separate sub-networks, so untrusted computers can have no access at all to your network, while you can still safely connect wireless devices to your own network.

The next best thing is to get a router that easily supports DD-WRT (meaning without any mechanical work) in which one can split the network this way. DD-WRT also supports QoS that can limit the bandwidth of the other users if they overuse the Internet.

For the later case, see Share your internet safely with your friends & neighbors.

harrymc

Posted 2013-02-26T01:27:59.740

Reputation: 306 093

I'm not sure if my router supports virtual networks, I can see this option on the router's page: Wireless - Guest/Virtual Access Points: - would that be it? See picture for more details.

– Alex – 2013-03-19T12:03:47.583

Yes, this looks like it. You could give it an easier SSID name, and "Isolate Clients" may be the option you are looking for (although unclear whether it will isolate all users from each other or just sandbox this wireless sub-network). If you are having problems, use the router's manual (or google for it if you don't have one). – harrymc – 2013-03-19T12:29:30.420

Also unbelievable is that one cannot find an english manual for it. If this router supports MAC filtering then you don't need a password: turn filtering off, connect a computer, add it to the filtered list, turn filtering on, done - only computers on the list can connect. – harrymc – 2013-03-20T14:12:06.077

Oops, I deleted the wrong comment - I said I couldn't set a password for the guest AP and there was no DD-WRT support. Anyway, I don't think MAC filtering is such a good idea since it can be easily spoofed , but thanks anyway, I'll definitively consider buying a new router that supports DD-WRT, it seems way better than my current firmware. – Alex – 2013-03-20T17:21:46.000

DD-WRT is probably the best firmware there is for small networks. – harrymc – 2013-03-21T16:21:19.740

Just as a warming: MAC filtering is not effective. Password protection (for WPA2 is). --- Compare MAC filtering with a guard in an open room. The guard grants access to everybody called 'Jane' or 'Joe'. All names are shouted though the room/air and everybody is allowed to edit their own name tag... As long as everybody is perfectly honest that will work. – Hennes – 2013-03-21T20:22:51.530

@Hennes: Think Your WPA2-encrypted Wireless Network is Secure? Think Again. Also Tutorial: How to Crack WPA/WPA2 (Aircrack-ng). MAC filtering is effective against the neighborhood script kiddo, but a real hacker would try to crack even WPA2. But why would a real hacker make the effort in this case? MAC filtering can be used as a stopgap measure until the poster gets a new router, but he had better not feel himself fully secure with WPA2.

– harrymc – 2013-03-22T07:02:24.567

1I think my WPA2 encrypted network (with a decent long and complex pass) is the best I can do with standard stuff. No need to tell me why MAC filtering does not work, why hiding SSIDs makes security worse, or even why WEP and WPA(1) are no longer sufficient. Even WPA2 cracks using massive calculating power (about US $75 of amazon S3 time, spent over a dozen instances) will break WPA2. Breaking that requires some effort though. Usually there are much more attractive targets nearby. That might not stop someone who want to hack you, but it will deflect Jane Average Cracker. – Hennes – 2013-03-22T12:26:30.890

@Hennes: I think it was only $5 to break WPA2, the cost of a few minutes of some hundreds of amazon S3 instances. – harrymc – 2013-03-22T19:24:46.887

If you are wired in anyway and want to keep the wireless connection running I'd suggest getting a cheap computer off eBay with 2 NICs in it and installing pfSense on it. pfSense is really easy to manage and it makes a great firewall that should keep your computer safe. In terms of snooping, it really depends on your wifi router, if it is a half decent one it shouldn't be sending wired traffic out over the wireless network unless it is specifically trying to reach a wireless machine because the routing tables wouldn't direct packets there.

CoryG

Posted 2013-02-26T01:27:59.740

Reputation: 304

Getting a different computer and installing an operating system to act as a firewall seems over complicated, but I'll consider doing it if nothing else works, thank you. – Alex – 2013-03-19T12:04:55.617

1For home usage: agreed. For at a workplace where on extra computer can protect a dozen or more users: Less so. – Hennes – 2013-03-21T21:58:48.253

You have Debian on PC? It secure enough (in compare to windows). Only thing you can afraid from your friends is exploitation of the MIM attack on vulnerable to such an attack protocols. But You must imply - such attack also potentially possible in Internet (but there such attack much hard to realize by roommates).

Ideally You must configure WLAN and LAN as separate subnets and configure firewall in router (modem), bu it look too simplefied for it.

You can setup other computer or NAT router between your PC and other network. But this router just other Linux computer.

Mikhail Moskalev

Posted 2013-02-26T01:27:59.740

Reputation: 1 718

Many routers have a DMZ port you could plug your WIFI router/AP in to. This would segment your network in the way you want. You could also purchase a switch and another router and plug all the wired clients in to the new router and keep the wireless clients on the AP. (Use different subnets)

Scandalist

Posted 2013-02-26T01:27:59.740

Reputation: 2 767

You have one of the most secure OS on the planet and it just needs a bit of setup to secure its traffic as well. How far you want to go is up to you but you should consider:

Setup your iptables. Decide which services you want to allow and block everything else
Consider securing your web traffic with Privoxy/Tor
Use secure versions of imap/pop (TLS or SSL)
Consider SSH tunnels or VPNs for access to other sites

This isn't the place to go into HOW to do all that because it's a long process with many choices and plenty of internet resources are available to guide you.

One last thing. IPTables (your firewall) has very clear distinctions between routing (FORWARDing) and access to your machine (INPUT). You can route anything you like without allowing access to any of your local services.

SpliFF

Posted 2013-02-26T01:27:59.740

Reputation: 282