Isolated Internet Access for Guests

We provide a camping spot for touring bicyclists riding through the Hudson Valley and, as you’d expect, most of them arrive toting netbooks, tablets, and other net-enabled doodads. While I’m a nice guy and they’re uniformly nice folks, I’d rather not hand them the keys to our house network, so I recently set up a WiFi Internet-only access point that’s firewalled from the LAN.

The general idea:

  • Use a stock WiFi router to handle DHCP / DNS / WiFi for guests (192.168.2.x)
  • Add a second NIC to the file server as eth1 (, connected to the router’s WAN port (
  • Forward packets between eth0 (house network 192.168.1.x) and eth1, except …
  • Use iptables to prevent router clients from seeing the house network

The network layout:

Guest Internet Access Overview
Guest Internet Access Overview

The parts came from the Big Box o’ Network Stuff:

  • Linksys / Cisco WRT54G router (Version 8, so OpenWRT won’t run)
  • NetGear 10/100 Mb/s Ethernet PCI card

The router setup:

  • Static WAN at
  • Router base address
  • DHCP range through .149, lease time 1 hour
  • DNS entries (L3), (NY Public Library), (NTT)
  • WiFi access to the web admin page disabled (admin only via CAT5 in the Basement Laboratory)
  • Non-broadcast SSID, not that it matters very much
  • WPA2-PSK with an XKCD-style password

The NIC Just Worked: the drivers come along with the kernel. Because it’s not a general-purpose network interface from the server side, eth1 setup doesn’t require much effort:

ifconfig eth1 netmask

I discovered the hard way that trying to define the eth1 interface with Network Manager caused no end of heartache & confusion, not least of which is that having two NICs somehow activates Ubuntu’s internal firewalling & port forwarding. Suffice it to say, just set the NM’s GUI to Ignore the eth1 NIC and do what needs to be done manually.

With one NIC, Ubuntu runs iptables in “let it be” mode: everything’s allowed, nothing’s blocked, and all packets get forwarded. The tables are empty and the default ACCEPT policy passes everything.

Adding a rule to the FORWARD chain prevents the router from sending packets to the house network:

iptables -A FORWARD -i eth1 --destination -j REJECT

That still allows a ping response from the file server’s eth0 NIC at back to the WiFi clients, because packets addressed to the server pass through the INPUT chain. This rule squelches those packets:

iptables -A INPUT -i eth1 --destination -j REJECT

Although packet forwarding is enabled by default, another rule turns on the NAT machinery required to shuttle packets between the 192.168.3.x network and the outside world:

iptables -A POSTROUTING -t nat -j MASQUERADE

While fiddling with iptables rules that involve packet state tracking (which these do, at least implicitly, I think), you must reset the packet state memories to ensure new packets aren’t regarded as part of an established connection. Install the conntrack utilities, then reset the state as needed:

sudo conntrack -F

And then it Just Worked.

Now, back in the day, you’d just put those configuration lines in /etc/rc.local and be done with it. Unfortunately, nowadays the upstart process kicks off rc.local well before the system is in a usable state: somewhat before eth0 is active, which means any automagic network-related activity falls flat on its face.

So an upstart configuration script is in order… more on that later.

Some useful, albeit occasionally befuddling references:

One could, of course, buy dedicated hardware to do all that and more, but it’s nothing you couldn’t accomplish with a bit more configuration on a stock Linux box. Heck, you could even serve an Upside-Down-Ternet to anyone who deserves it; the original has some other suggestions that made the big time.

A tip o’ the cycling helmet to Dragorn of Kismet for getting me started…