Join Log in
Score:0
ExecutionByFork avatar Server

iptables default deny all, allow IP unrestricted access

kr flag
ExecutionByFork

I have successfully setup a raspberry pi to function as an access point. I have a pi connected via ethernet to my router, and am able to connect to the pi's wifi network and access other devices on that wifi network, as well as the external internet (via cable to router). I did so by following this guide: https://www.raspberrypi.com/documentation/computers/configuration.html#setting-up-a-routed-wireless-access-point

However, I am having trouble locking down this AP wifi network with iptables. What I want is a default deny policy for everything, with the exception of a static IP on this AP wifi which will have unrestricted access to connect to other machines on the AP network as well as to the internet.

Currently I have the following rules:

$ sudo iptables -L --line-numbers -v
Chain INPUT (policy DROP 579 packets, 78551 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      190 14054 ACCEPT     all  --  lo     any     anywhere             anywhere
2     3491  247K ACCEPT     all  --  any    any     Fruit.wlan           anywhere

Chain FORWARD (policy DROP 4599 packets, 315K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     7201  876K ACCEPT     all  --  any    any     Fruit.wlan           anywhere
2        1    68 ACCEPT     all  --  any    any     anywhere             Fruit.wlan

Chain OUTPUT (policy DROP 1437 packets, 103K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      184 13544 ACCEPT     all  --  any    lo      anywhere             anywhere
2     2357  231K ACCEPT     all  --  any    any     anywhere             Fruit.wlan

$ sudo iptables -L --line-numbers -v -t nat
Chain PREROUTING (policy ACCEPT 3171 packets, 275K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 1631 packets, 122K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1726 packets, 124K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 86 packets, 6578 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1069 70865 MASQUERADE  all  --  any    eth0    anywhere             anywhere

With these rules, I can still ssh into the pi (Access Point) from the Fruit.wlan machine, however I cannot access the internet. I think it is an issue with my forwarding rules, but I can't figure out what is blocking me.

pi access point IP is 192.168.10.1
upstream router IP is 192.168.0.1
Fruit.wlan IP is 192.168.10.123

30
0 + 2
HBruijn avatar
in flag
HBruijn
For linux systems to be able to route and/or NAT traffic any traffic at, the system tuneables `sysctl net.ipv4.ip_forward` resp. `net.ipv6.conf.all.forwarding` need to be enabled
0
Reply
ExecutionByFork avatar
kr flag
ExecutionByFork
IPv4 forwarding is already enabled. As I mentioned, everything works perfectly without any firewall rules in place. I am simply looking to now restrict all network activity besides the one IP I would like to allow
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.