Re: WiFi Hotspot Disable Neighbor discovery,Ask

[Hooman <mailinglister.hooman@gmail.com>]

Hi

On 6/19/20 1:38 PM, Hooman wrote:
>
> Hi,
>
> On 6/16/20 6:09 AM, G.W. Haywood wrote:
>> Hi there,
>>
>> On Mon, 15 Jun 2020, Hooman wrote:
>>
>>> I am using WiFi hotspot feature of Ubuntu 18.04 to create a hotspot for
>>> my devices. I need to prevent different devices on the network from
>>> contacting each other.
>>>
>>> More specifically, I have two phones on the network, I would like them
>>> not to be able to send any packets to each other. Right now if phone 1
>>> is using IP address 10.42.0.172 and phone 2 is using 10.42.0.59, I can
>>> use phone 1 to ping 10.42.0.59.
>>>
>>> I would like to disable connections between different hosts on the
>>> network created by the hotspot.
>>>
>>> I tried using iptables to drop local traffic. However, it seems like
>>> the
>>> iptables don't have any effect on these packets.
>>>
>>> I do see local packets on wireshark though. I'm wondering if local
>>> packets are forwarded directly without hitting the iptable rules.
>>
>> That's _almost_ what is happening, I think.  It isn't totally clear to
>> me but I'm going to assume that all your devices can communicate with
>> your Ubuntu box over your local network.
>>
>> The word 'forward' has a specific meaning in networking.  It means
>> that the connection goes via a router which is responsible for traffic
>> which crosses network boundaries, and in that case the router can do
>> things with the traffic (like block it, NAT and so on).  But in your
>> case the devices are on the SAME network; traffic doesn't need to pass
>> through a router, a switch or hub will do, but a switch or hub doesn't
>> meddle with the traffic like a router can.  I guess you have all the
>> devices and your Ubuntu box connected via the same Ethernet switch, in
>> which case the Ubuntu box won't even see the traffic between the two
>> other devices when they talk to each other.  If you have a hub and not
>> a switch the Ubuntu box will see it, but even then it won't be able to
>> do much about it, as the packets would not be addressed to the Ubuntu
>> box - they would effectively just be network noise, and ignored.
>>
>>> Is it possible to use iptables or ebtables to filter these packets?
>>
>> Not as things stand, you need to force the traffic through a router.
>> Your Ubuntu box can be the router.
>>
>>> Is there any other solution to this?
>>
>> To force all the traffic through your Ubuntu box you could put each of
>> the other hosts on a separate subnet.  For example, assuming that you
>> set up each subnet as a /16, for the two devices you could have:
>>
>> 10.43.0.2 instead of 10.42.0.59 and
>> 10.44.0.2 instead of 10.42.0.172
>>
>> You will then need to add IPs 10.43.0.1 and 10.44.0.1 to the interface
>> on the Ubuntu box, and also to tell the Ubuntu box to forward packets,
>> which can sometimes have interesting side-effects.  As root, something
>> like
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>> or
>>
>> sysctl -w net.ipv4.ip_forward=1
>>
>> will do the trick for IPv4 packets.
>>
>> If you _did_ want the two devices to talk to each other sometime, then
>> you'd need to set up routes in each device, which is normally an extra
>> complication when you set up subnets so that the subnets can talk to
>> each other.  But since you specifically don't want that to happen then
>> you don't need to do that normally (at least to me) irritating part.
>> You can then have rules on the Ubuntu box which block traffic between
>> the two devices.
>>
>> There's nothing really special about the IP numbers I've chosen which
>> would mean that 10.42.0.59 and 10.42.0.172 are on the same subnet and
>> the 10.43 and 10.44 numbers are not.  The thing which determines that
>> is the network mask.  Most of the time on a 10.x.x.x network the mask
>> will be /8 (or 255.0.0.0) for example, and on a 192.168.x.x network it
>> will be /16 (or 255.255.0.0), but you could for example have a mask of
>> /25 (255.255.128.0), which would mean that 10.42.0.59 and 10.42.0.172
>> are actually on separate networks and need to be routed.  The thinking
>> is a bit more tricky though, so that's why I chose the numbers in my
>> examples.  The documentation on the Netfilter Website goes into a
>> great deal more detail than I can here.  It will take you some time to
>> wade through it but it will be worth the effort.
>>


Maybe I wasn't clear enough. Here's it again. I am using Ubuntu 18.04
default hotspot feature to create a wifi access point. The Ubuntu
machine is also connected via ethernet to the Internet (inet
25.02.224.105  netmask 255.255.252.0).

The hotspot creates a network on subnet on my wifi interface ( inet
10.42.0.1  netmask 255.255.255.0 ):


> root@myuser:~# ifconfig
> eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>         inet 25.02.224.105  netmask 255.255.252.0  broadcast 25.02.227.255
>         inet6 fe80::3521:18e2:11d9:7c70  prefixlen 64  scopeid 0x20<link>
>         ether 2e:61:a5:b2:3d:88  txqueuelen 1000  (Ethernet)
>         RX packets 1144162  bytes 508133990 (508.1 MB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 89831  bytes 7271961 (7.2 MB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>         device interrupt 17  memory 0xb1200000-b1220000


> wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>         inet 10.42.0.1  netmask 255.255.255.0  broadcast 10.42.0.255
>         inet6 fe80::c112:bd92:d15:ea96  prefixlen 64  scopeid 0x20<link>
>         ether ac:6f:d2:2a:1b:9a  txqueuelen 1000  (Ethernet)
>         RX packets 0  bytes 0 (0.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 92  bytes 11830 (11.8 KB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Now using this hotspot, I connect two other machines to this access
point. Machine A is on 10.42.0.34 and Machine B is on 10.42.0.57.

Some other info about the setup:

> root@myuser:~# ip link show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
mode DEFAULT group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UP mode DEFAULT group default qlen 1000
>     link/ether 2e:61:a5:b2:3d:88 brd ff:ff:ff:ff:ff:ff
> 3: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
mode DORMANT group default qlen 1000
>     link/ether ac:6f:d2:2a:1b:9a brd ff:ff:ff:ff:ff:ff


> root@myuser:~# ip rule show
> 0:    from all lookup local
> 32766:    from all lookup main
> 32767:    from all lookup default


> root@myuser:~# ip route show
> default via 25.02.224.1 dev eth1 proto dhcp metric 100
> 10.42.0.0/24 dev wlan1 proto kernel scope link src 10.42.0.1 metric 600
> 25.02.224.0/22 dev eth1 proto kernel scope link src 25.02.224.105
metric 100
> 169.254.0.0/16 dev eth1 scope link metric 1000

> root@myuser:~# ip netconf
> ipv4 dev lo forwarding on rp_filter off mc_forwarding off proxy_neigh
off ignore_routes_with_linkdown off
> ipv4 dev eth1 forwarding on rp_filter loose mc_forwarding off
proxy_neigh off ignore_routes_with_linkdown off
> ipv4 dev wlan1 forwarding on rp_filter strict mc_forwarding off
proxy_neigh off ignore_routes_with_linkdown off
> ipv4 all forwarding on rp_filter strict mc_forwarding off proxy_neigh
off ignore_routes_with_linkdown off
> ipv4 default forwarding on rp_filter strict mc_forwarding off
proxy_neigh off ignore_routes_with_linkdown off
> ipv6 dev lo forwarding off mc_forwarding off proxy_neigh off
ignore_routes_with_linkdown off
> ipv6 dev eth1 forwarding off mc_forwarding off proxy_neigh off
ignore_routes_with_linkdown off
> ipv6 dev wlan1 forwarding off mc_forwarding off proxy_neigh off
ignore_routes_with_linkdown off
> ipv6 all forwarding off mc_forwarding off proxy_neigh off
ignore_routes_with_linkdown off
> ipv6 default forwarding off mc_forwarding off proxy_neigh off
ignore_routes_with_linkdown off

> root@myuser:~# brctl show
> bridge name    bridge id        STP enabled    interfaces


> root@myuser:~# arp -a
> ? (25.02.224.104) at 2e:61:a5:b2:3e:25 [ether] on eth1
> ? (10.42.0.57) at f6:2e:23:4b:72:ae [ether] on wlan1
> ? (25.02.224.1) at 00:00:0c:9f:f0:e0 [ether] on eth1


The hotspot feature creates some iptable rules:

 
> root@myuser:~# iptables -vL -t filter
> Chain INPUT (policy ACCEPT 284K packets, 89M bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>     0     0 ACCEPT     udp  --  wlan1 any     anywhere            
anywhere             udp dpt:bootps
>     0     0 ACCEPT     tcp  --  wlan1 any     anywhere            
anywhere             tcp dpt:bootps
>     0     0 ACCEPT     udp  --  wlan1 any     anywhere            
anywhere             udp dpt:domain
>     0     0 ACCEPT     tcp  --  wlan1 any     anywhere            
anywhere             tcp dpt:domain
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>     0     0 ACCEPT     all  --  any    wlan1  anywhere            
10.42.0.0/24         state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  wlan1 any     10.42.0.0/24        
anywhere          
>     0     0 ACCEPT     all  --  wlan1 wlan1  anywhere            
anywhere          
>     0     0 REJECT     all  --  any    wlan1  anywhere            
anywhere             reject-with icmp-port-unreachable
>     0     0 REJECT     all  --  wlan1 any     anywhere            
anywhere             reject-with icmp-port-unreachable
>
> Chain OUTPUT (policy ACCEPT 13186 packets, 1539K bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
>
> root@myuser:~# iptables -vL -t nat
> Chain PREROUTING (policy ACCEPT 110K packets, 27M bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
> Chain INPUT (policy ACCEPT 110K packets, 27M bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
> Chain OUTPUT (policy ACCEPT 1309 packets, 99285 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
> Chain POSTROUTING (policy ACCEPT 1276 packets, 96891 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>    33  2394 MASQUERADE  all  --  any    any     10.42.0.0/24       
!10.42.0.0/24      
>
>
> root@myuser:~# iptables -vL -t mangle
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
>
> root@myuser:~# iptables -vL -t raw
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
>
> root@myuser:~# iptables -vL -t security
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination       
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination      
>


There are no ebatbles rules:

> root@myuser:~# ebtables -t broute -L
> Bridge table: broute
>
> Bridge chain: BROUTING, entries: 0, policy: ACCEPT
>
>
> root@myuser:~# ebtables -t filter -L  
> Bridge table: filter
>
> Bridge chain: INPUT, entries: 0, policy: ACCEPT
>
> Bridge chain: FORWARD, entries: 0, policy: ACCEPT
>
> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
>
>
> root@myuser:~# ebtables -t nat -L
> Bridge table: nat
>
> Bridge chain: PREROUTING, entries: 0, policy: ACCEPT
>
> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
>
> Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT
>


Now as I said, Machine A is on 10.42.0.34 and Machine B is on 10.42.0.57.

Machine A (10.42.0.34) can ping Machine B (10.42.0.57) and  can also
ping 8.8.8.8 (external:Google).

These ebtables rules don't have any effect:


> sudo ebtables -t broute -F
> sudo ebtables -t broute -P BROUTING DROP
>
>
> sudo ebtables -t nat -F
> sudo ebtables -t nat -P PREROUTING DROP
> sudo ebtables -t nat -P OUTPUT DROP
> sudo ebtables -t nat -P POSTROUTING DROP
>
>
> sudo ebtables -t filter -F
> sudo ebtables -t filter -P INPUT DROP
> sudo ebtables -t filter -P OUTPUT DROP
> sudo ebtables -t filter -P FORWARD DROP


The following iptables rules stop packets from Machine A to Google but
not from Machine A to B:

> sudo iptables -t mangle  -I PREROUTING -j DROP
> sudo iptables -t filter -I FORWARD -j DROP
> sudo iptables -t raw  -I PREROUTING -j DROP


The only way I can stop packets from machine A to B for a few second is
to flush arp cache by running:

>  sudo  ip -s -s neigh flush all

So basically, iptable and ebtable rules have no effect on packets from A
to B. However, I see those packets on wireshark and they definitely go
through the Ubuntu machine that is hosting the access point. And that's
exactly my dilemma, how to block those packets from going through.