Broadband Tech → Security → Wireless Security > How to drop packets from one subnet to another via iptables

How to drop packets from one subnet to another via iptables

Hi all,

I've searched the net, high and low, and thought I found the solution, but just can't get it to work (so maybe it wasn't right what I found).

I'm running an Asus RT-N66U router with Shibby Tomato firmware on it (on two revs back). Love the router and the firmware. But what I can't seem to figure out how to do is restrict my guest wifi network from accessing the IP of the router.

For example, my subnet for the guest wifi is in the 10.x.x.x range. My main network is in the 192.168.x.x range. I have sufficiently blocked access from any device on the 10.x subnet to any 192.x device, with the exception of the address of the router itself.

My concern is this...for ease of use, the guest wifi password is only medium strength (easier to tell people what it is). My main wifi pwd is VERY strong. My router password is somewhat easy, since it's behind the firewall and internal. But if you hack the guest wifi, you have a pretty ease router to try to hack the router credentials, at which point you can do whatever you want.

How can I drop all wifi traffic from 10. to ANYTHING in the 192 range? Is that possible, or does it have to see the router since it's still the gateway?

Thanks for any help you can provide.

Pseudocode for this is basically as follows :

from 10.0.0.0/24 to 192.168.0.0/16 deny ALL
 

Thanks. I thought that would be the code, but like you, I too can't figure out how to get this inserted into the router into the IPtables. Frustrating!

Re: How to drop packets from one subnet to another via iptables

Maybe this?

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP