Hotspot Hardening


I set-up the DietPi WiFi hotspot a 3-4 years back and it was working well, however, I was having to reboot it a fair bit over the past 6 months so eventually decided to do a fresh install of DietPi (it was too old to auto update) and re-installed the hotspot.

All seems to be running well, but I’ve noticed that I can connect to the hotspot and gain access to my router login. On the really old version of the Hotspot it wouldn’t recognise the router’s IP at all so you couldn’t ‘see’ it.

I know the hotspot runs off of a 192.168.42.X DCHP range where are my router is the fairly standard 192.168.1.X , so I was wondering is there anyway to stop the devices connecting via the hotspot from seeing the router at the address?

I’ve of course got a fairly solid password on the Hotspot, and also on the router, but even so, it would be good if I can isolate connections to the hotspot from my home LAN


I don’t know if there is any option in the hotspot configuration to isolate your lan.
Alternatively you can create an iptables rule to drop traffic from towards your LAN

Gotta be a way to prevent that netmask from getting to the netmask with an IPTABLES entry

Try this

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

The -i should be the interface the is assigned to also if your router uses http instead of https add that line as well

I am definitely NOT an iptables expert…
The above entry seems to block -i (interface) access to destination ports

IPTABLES is a tricky beast
maybe in your router you could deny access to the web interface by the MAC address of the internet facing side of the hotspot all other traffic should flow normally

Thanks WarHawk. I shall give that a go today and will report back.

I really appreciate your help.

Not a problem…just come back and let us know how you got it fixed :wink: