Hotspot Hardening Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Post Reply
alkebab
Posts: 3
Joined: Tue Aug 25, 2020 2:20 pm

Hotspot Hardening

Post by alkebab »

Hi,

I set-up the DietPi WiFi hotspot a 3-4 years back and it was working well, however, I was having to reboot it a fair bit over the past 6 months so eventually decided to do a fresh install of DietPi (it was too old to auto update) and re-installed the hotspot.

All seems to be running well, but I've noticed that I can connect to the hotspot and gain access to my router login. On the really old version of the Hotspot it wouldn't recognise the router's IP at all so you couldn't 'see' it.

I know the hotspot runs off of a 192.168.42.X DCHP range where are my router is the fairly standard 192.168.1.X , so I was wondering is there anyway to stop the devices connecting via the hotspot from seeing the router at the 192.168.1.1 address?

I've of course got a fairly solid password on the Hotspot, and also on the router, but even so, it would be good if I can isolate connections to the hotspot from my home LAN

Thanks,
User avatar
trendy
Posts: 133
Joined: Tue Feb 25, 2020 2:54 pm

Re: Hotspot Hardening

Post by trendy »

I don't know if there is any option in the hotspot configuration to isolate your lan.
Alternatively you can create an iptables rule to drop traffic from 192.168.42.0/24 towards your LAN 192.168.1.0/24.
User avatar
WarHawk
Posts: 621
Joined: Thu Jul 20, 2017 8:55 am

Re: Hotspot Hardening

Post by WarHawk »

Gotta be a way to prevent that 192.168.42.0/24 netmask from getting to the 192.168.1.0/24 netmask with an IPTABLES entry

Try this
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=652584

Code: Select all

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
The -i should be the interface the 192.168.42.0/24 is assigned to also if your router uses http instead of https add that line as well

I am definitely NOT an iptables expert...
The above entry seems to block -i (interface) access to destination ports

IPTABLES is a tricky beast
maybe in your router you could deny access to the web interface by the MAC address of the internet facing side of the hotspot all other traffic should flow normally
alkebab
Posts: 3
Joined: Tue Aug 25, 2020 2:20 pm

Re: Hotspot Hardening

Post by alkebab »

Thanks WarHawk. I shall give that a go today and will report back.

I really appreciate your help.
User avatar
WarHawk
Posts: 621
Joined: Thu Jul 20, 2017 8:55 am

Re: Hotspot Hardening

Post by WarHawk »

alkebab wrote: Mon Aug 31, 2020 11:42 am Thanks WarHawk. I shall give that a go today and will report back.

I really appreciate your help.
Not a problem...just come back and let us know how you got it fixed ;)
Post Reply