Block all traffic from your neighbours using iptables
This tutorial is useful for protecting yourself when connecting to untrusted wireless networks. It will block all traffic that doesn't originate from your default gateway.
We will use the PREROUTING
chain in the raw
table. This table takes precedence above all others and is applied as soon as a packet is received on an interface.
The next step is to create ARP filtering rules, because even though standard traffic locked down, our system will still listen for and respond to arp
probes. So arptables
is used to filter those too. The reason for locking down arp is that on a untrustworthy public hotspot, there's a lot of mischief that can be done by broadcasting intentionally false records such as man in the middle attacks.
Even though this is an iptables solution, I've used this successfully in conjunction with firewalld
Finding the Router MAC address
In most distros, the default gateway is automatically named 'gateway' inside the output of the arp
command.
$ arp | grep gateway | awk '{print $3}'
The above command doesn't work on all systems, so here's an uglier alternative
GW_MAC=`ip neigh show $(ip route list | grep -m1 default |awk '{print $3}') | awk '{print $5}'`
Block traffic that isn't coming from the gateway MAC
Warning: This blocks all traffic on your local segment, both in and out. Make sure you know what you are doing.
Traffic to other networks is not affected, because when traffic passes through a router, it will have the source mac address of the router
GW_DEV=`ip r list | grep -m1 default | awk '{print $3}'`
sudo iptables -t raw \
--insert PREROUTING \
--in-interface $GW_DEV \
--match mac ! --mac-source $GW_MAC \
--jump DROP
Blocking arp traffic
sudo dnf install arptables
sudo arptables I INPUT -i $GW_DEV ! --src-mac $GW_MAC -j DROP