Ubuntu – Client isolation in Ubuntu with hostapd

12.04hostapdiptableswireless

We have created a wifi hotspot or a wireless access point using hostapd in Ubuntu. How can we isolate wifi clients the same way "Client Isolation" does in some access points? Is there any way we can combine iptables with hostapd to apply some firewall rules between wifi clients?

Best Answer

Create an iptables rule on input and output that allows the source address range to talk to the router/default gateway, additional rules for any servers or other resources on that subnet.

Create a final rule that drops packets between the source address range and the source address range.

iptables -A INPUT -i $WIFI -o $WIFI -s 192.168.1.0/24 -d 192.168.1.1 -j ACCEPT
iptables -A INPUT -i $WIFI -o $WIFI -s 192.168.1.0/24 -d $SOMESERVERIP -j ACCEPT
iptables -A INPUT -i $WIFI -o $WIFI -s 192.168.1.0/24 -d $SOMEOTHERSERVERIP -j ACCEPT
iptables -A INPUT -i $WIFI -o $WIFI -s 192.168.1.0/24 -d 192.168.1.0/24 -j DROP

The basics of this chain of events is:

if it's in the subnet and it's talking to the gateway, accept it
If it's in the subnet and it's talking to a server, accept it
Rule 2 repeats until you run out of acceptable servers
If it's in the subnet and it's talking to anything else in the subnet, drop it

Related Solutions

Ubuntu – Failed to set interface wlan0 into AP mode: Intel centrino N1000 Wireless

To use your network card as wifi hotspot, it must support AP mode & master mode.

To check master-mode run:

sudo iwconfig wlan0 mode master.

If you dont get a error then it supports master-mode

To check AP run following command:

sudo apt-get install iw

Then run:

iw list

If there is 'AP' in the list of "Supported interface modes" your device will support the Access Point mode with hostapd.

But as you commented above, that it doesn't support AP mode, The wifi hotspot wont work as explained in the blog.

Unlike windows, linux-kernel doesn't provide same features for every wireless cards.So for a particular wifi-card, windows driver may support AP , but linux-driver may not.

One option is to purchase a wireless card which supports AP modes. You can find more information here:

http://wireless.kernel.org/en/users/Drivers

Although according to me, the best option is to buy a USB Wifi-Router with 3G/Evdo modem support(preferably) like Lava W200 .

Ubuntu – Getting WiFi AP working with hostapd and isc-dhcp-server [Xubuntu 14.04]

Try the following

sudo apt-get install hostapd dnsmasq dhcp3-server isc-dhcp-server haveged

Setting up hostapd

hostapd is for wireless router functionality:

leafpad /etc/hostapd.conf

General Hotspot Configurations:

Define interface

interface=wlan#
bridge=br0

Select driver:

driver=nl80211

Set access point hardware mode to 802.11a/b/g/n (hw supports?):

hw_mode=g
logger_stdout=-1
logger_stdout_level=2
require_ht=0
ht_capab= [HT40+] [HT40-] [SHORT-GI-40] [RX-STBC1]
ieee80211d=1
ieee80211n=1
macaddr_acl=0
wmm_enabled=1

Configure wireless characteristics:

beacon_int=50
country_code=US
disassoc_low_ack=1

Set Wi-Fi channel:

channel=6

Set access point name:

ssid=nametobroacdcast
ignore_broadcast_ssid=0

Set encryption standard (1 for WPA, 2 for WPA2, 3 for WPA + WPA2):

auth_algs=1
wpa=3
wpa_passphrase=yourpassword
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP

Other options for wpa_key_mgmt=WPA-EAP WPA-PSK-SHA256 WPA-EAP-SHA256

Create & save ./######.sh script

#!/bin/bash
# Configure IP address for WLAN
sudo ifconfig wlan0 up 192.168.3.1 netmask 255.255.255.0
sleep 2

# Start DHCP/DNS server (Can replace `dnsmasq` with `dhcpd` or `isc-hdcp-server`):
sudo service dnsmasq restart

# Replace "dnsmasq restart" line above with this area between ## ## if that does not work
if [ “$(ps –e | grep dhcpd)” == “” ]; then
dhcpd $1 &
fi

# Enable routing
sudo sysctl net.ipv4.ip_forward=1

# Enable Network Address Translation (NAT)
sudo iptables --flush
sudo iptables –-table nat --flush
sudo iptables --delete-chain
sudo iptables --table nat --delete-chain
sudo iptables --table nat --flush
sudo iptables -t nat -A POSTROUTING --out –interface $1 -j MASQUERADE

# “$1” = computer acting as AP output interface (to internet)
sudo iptables –A FORWARD –in-interface $2 –j ACCEPT

# “$2” = client input interface (to client)
echo 1 > /proc/sys/net/ipv4/ipforward

# Run access point daemon
sudo hostapd /etc/hostapd.conf

# Stopping DHCP/DNS server

# Disable NAT
sudo iptables -D POSTROUTING -t nat -o ppp0 -j MASQUERADE

# Disable routing
sudo sysctl net.ipv4.ip_forward=0

# Disable DHCP/DNS server
sudo service dnsmasq stop
# Can replace with “dhcpd” or “isc-hdcp-server”

# Start HOSTAPD
sudo service hostapd start

Start setup DNS/DHCP

dnsmasq dhcp3-server isc-dhcp-server is for DNS/DHCP functionality (choose one):

Example:

leafpad /etc/dhcp/dhcpd.conf

General DHCP Configurations:

ddns-update-style none;
ignore clients-updates;
authoritative;
option local-wpad code 252 = test;
log-facility local7;
default-lease-time 3600;
max-lease-time 7200;
subnet
192.168.3.0 netmask 255.255.255.0 {
    # Broadcast address
    option broadcast-address 192.168.3.2;
    # Netmask
    option subnet-mask 255.255.255.0;
    # Default gateway
    option routers 192.168.3.1;

    # Domain Name Servers for directing client traffic 
    option domain-name-servers 8.8.8.8, 8.8.4.4;
    option time-offset 0;

    # Set IP address range available to clients
    range 192.168.3.2, 192.168.3.100;
}

Allow `./#####.sh` script created to run

Make hostapdfilecreated.sh executable:

sudo chmod +x nameoffilecreated.sh

You have to be inside the directory where ######.sh file resides, cd into it then run command.

Execute script to start computer-based access point broadcasting:

sudo ./nameoffilecreated.sh