0

I am working on a network security project that can inspect network traffic before forwarding and accepting traffic from the internet.

I have a R-Pi B+ Model running raspbian stretch lite where the in-built NIC is connected to my ISP router and i also have a wireless USB adapter to create a wireless network where clients can connect to. (Used hostapd and isc-dhcp-server for this). I used this tutorial to set up the R-Pi as a wireless AP https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point?view=all

Here is what my set up looks like:

Smartphone(192.168.42.10) ---> wlan0(192.168.42.1) ---> R-Pi---> eth0(192.168.0.17) ---> ISP Router(192.168.0.1) ---> Internet

My ip route command looks like this:

default via 192.168.0.1 dev eth0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.17
192.168.42.0/24 dev wlan0 proto kernel scope link src 192.168.42.1

When i run traceroute, it shows that packets are first sent to the R-Pi before it goes to my ISP route which is of course expected.

Tracing route to one.one.one.one [1.1.1.1]
over a maximum of 30 hops:

1     1 ms     1 ms     1 ms  192.168.42.1
2     1 ms     1 ms     1 ms  192.168.0.1

For instance, i tried blocking 31.13.86.36 (facebook.com) on all the iptables chains, but nothing is being blocked. I can still ping/browse from client machines. Here is what my iptables look like

Chain INPUT (policy ACCEPT 1355 packets, 104K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      *       31.13.86.36          0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     5352 5413K ACCEPT     all  --  eth0   wlan0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2     3346  650K ACCEPT     all  --  wlan0  eth0    0.0.0.0/0            0.0.0.0/0
3        0     0 DROP       all  --  *      *       31.13.86.36          0.0.0.0/0
4        0     0 DROP       all  --  *      *       0.0.0.0/0            31.13.86.36

Chain OUTPUT (policy ACCEPT 1013 packets, 139K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      *       0.0.0.0/0           31.13.86.36
Abdirahman Mohamed
  • 11
  • 5
  • 1
    You are missing the necessary details in the question. How do you expect somebody to know why it doesn't work for you? – RalfFriedl Oct 05 '18 at 06:19
  • I have provided the necessary info. if something is not clear, ask for clarification and will be more than willing to clarify. – Abdirahman Mohamed Oct 05 '18 at 06:46
  • I haven't done this, but any tutorial for Stretch which doesn't address the default network manager (dhcpcd) is suspect! – Milliways Oct 05 '18 at 09:00
  • @Milliways do u suggest i use the default dhcpd instead of isc-dhcp-server? – Abdirahman Mohamed Oct 05 '18 at 09:11
  • You are using wrong iptables rules. You have to modify them so they match your needs. – Ingo Oct 05 '18 at 09:21
  • @Ingo I thought of that as well coz i am new to using iptables, i have edited the question to include my iptables rules, have a look at it and see if i am doing anything wrong. Thanks. – Abdirahman Mohamed Oct 05 '18 at 10:00
  • I have not done this, so will refrain from detailed comment, but the Adafruit tutorial is obsolete. It MAY work if you disable dhcpcd - who knows? The Foundation tutorial at least addresses the current Raspbian networking Access Point – Milliways Oct 05 '18 at 10:47
  • @Milliways Thanks for that. Will have a look at the official documentation and see if it will solve the problem. – Abdirahman Mohamed Oct 05 '18 at 11:28

1 Answers1

1

I finally solved this issue. I got a hint from How does 'iptables rules table' work with hotspot?

Plus, i inserted the new rules to the top of the FORWARD CHAIN so that they will checked first and didn't appended them to the FORWARD chain.

Here is what my new iptables rules look like:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       all  --  31.13.86.36          0.0.0.0/0
2    DROP       all  --  0.0.0.0/0            31.13.86.36
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
Abdirahman Mohamed
  • 11
  • 5