Isolated Internet Access for Guests

We provide a camping spot for touring bicyclists riding through the Hudson Valley and, as you’d expect, most of them arrive toting netbooks, tablets, and other net-enabled doodads. While I’m a nice guy and they’re uniformly nice folks, I’d rather not hand them the keys to our house network, so I recently set up a WiFi Internet-only access point that’s firewalled from the LAN.

The general idea:

  • Use a stock WiFi router to handle DHCP / DNS / WiFi for guests (192.168.2.x)
  • Add a second NIC to the file server as eth1 (192.168.3.1), connected to the router’s WAN port (192.168.3.2)
  • Forward packets between eth0 (house network 192.168.1.x) and eth1, except …
  • Use iptables to prevent router clients from seeing the house network

The network layout:

Guest Internet Access Overview
Guest Internet Access Overview

The parts came from the Big Box o’ Network Stuff:

  • Linksys / Cisco WRT54G router (Version 8, so OpenWRT won’t run)
  • NetGear 10/100 Mb/s Ethernet PCI card

The router setup:

  • Static WAN at 192.168.3.2
  • Router base address 192.168.2.1
  • DHCP range 192.168.2.100 through .149, lease time 1 hour
  • DNS entries 4.2.2.1 (L3), 65.88.88.2 (NY Public Library), 129.250.35.250 (NTT)
  • WiFi access to the web admin page disabled (admin only via CAT5 in the Basement Laboratory)
  • Non-broadcast SSID, not that it matters very much
  • WPA2-PSK with an XKCD-style password

The NIC Just Worked: the drivers come along with the kernel. Because it’s not a general-purpose network interface from the server side, eth1 setup doesn’t require much effort:

ifconfig eth1 192.168.3.1 netmask 255.255.255.0

I discovered the hard way that trying to define the eth1 interface with Network Manager caused no end of heartache & confusion, not least of which is that having two NICs somehow activates Ubuntu’s internal firewalling & port forwarding. Suffice it to say, just set the NM’s GUI to Ignore the eth1 NIC and do what needs to be done manually.

With one NIC, Ubuntu runs iptables in “let it be” mode: everything’s allowed, nothing’s blocked, and all packets get forwarded. The tables are empty and the default ACCEPT policy passes everything.

Adding a rule to the FORWARD chain prevents the router from sending packets to the house network:

iptables -A FORWARD -i eth1 --destination 192.168.0.0/16 -j REJECT

That still allows a ping response from the file server’s eth0 NIC at 192.168.1.2 back to the WiFi clients, because packets addressed to the server pass through the INPUT chain. This rule squelches those packets:

iptables -A INPUT -i eth1 --destination 192.168.0.0/16 -j REJECT

Although packet forwarding is enabled by default, another rule turns on the NAT machinery required to shuttle packets between the 192.168.3.x network and the outside world:

iptables -A POSTROUTING -t nat -j MASQUERADE

While fiddling with iptables rules that involve packet state tracking (which these do, at least implicitly, I think), you must reset the packet state memories to ensure new packets aren’t regarded as part of an established connection. Install the conntrack utilities, then reset the state as needed:

sudo conntrack -F

And then it Just Worked.

Now, back in the day, you’d just put those configuration lines in /etc/rc.local and be done with it. Unfortunately, nowadays the upstart process kicks off rc.local well before the system is in a usable state: somewhat before eth0 is active, which means any automagic network-related activity falls flat on its face.

So an upstart configuration script is in order… more on that later.

Some useful, albeit occasionally befuddling references:

One could, of course, buy dedicated hardware to do all that and more, but it’s nothing you couldn’t accomplish with a bit more configuration on a stock Linux box. Heck, you could even serve an Upside-Down-Ternet to anyone who deserves it; the original has some other suggestions that made the big time.

A tip o’ the cycling helmet to Dragorn of Kismet for getting me started…

9 thoughts on “Isolated Internet Access for Guests

  1. This would be handy while bicycling across America, but there is a link to Cornell University Law School site (18 USC § 1030 – Fraud and related activity in connection with computers). The Atomic Energy Act of 1954? Reminds me of the Rosenberg case…

    [Edit: I removed the link to an illegal, overpowered, WEP cracking USB WiFi adapter. Ed]

    1. Well, the router has whatever security the usual WPA2/PSK provides. It’s not an open WiFi access point, for exactly the reasons you’d expect.

      It’s not clear what the rest of your comment means…

  2. I only just today noticed that clever little xkcd-like comments pop up when I mouse over links in your posts.
    Now I have to go back through all your old entries: there goes my productivity!

  3. Actually, I would use http://www.smoothwall.org/ on some older hardware and make a real DMZ and also better protect my network. I’m not saying anything is wrong with your setup, just I like the idea of a dedicated firewall and stripped down OS for this security application (being that it’s my day job).

    1. a dedicated firewall

      The home network has a hardware firewall / router at the cable modem, which serves my simple needs. It also has a WiFi point that’s on the internal LAN, but that’s generally turned off: all the PCs are wired.

      I’d kicked around some ideas for the “public” WiFi that involved junk hardware, but the power bill eats up any cost advantage: the WRT54G burns barely 2 W.

      As nearly as I can tell, running a separate NIC for the WRT54G and firewalling the separate network does everything that needs doing. I’m sure a concerted attack can punch through the kernel routing, but … the two neighbors who could possibly reach it aren’t into tech at all. [grin]

Comments are closed.