I have set up a Raspberry Pi Wi-Fi hotspot via hostapd
, dnsmasq
and iptables
routing using this excellent tutorial: https://thepi.io/how-to-use-your-raspberry-pi-as-a-wireless-access-point/.
Although I skipped step 8, everything is perfectly working and I am using it every day for 2 years.
In my situation, wlan0 (integrated Wi-Fi chip) is disabled and wlan1 (external Wi-Fi) is enabled.
Recently I noticed annoying traffic (NetBIOS among others) from some computers and I would like to block only this traffic. However, very important to me: I also would like clients to communicate with each other's. Many tries, unfortunately, I did not succeed.
Here is what I tried:
- Filtering using
iptables
-> annoying packets are seen and said blocked but are still received by any computer on the WLANiptables -t raw -I PREROUTING -p tcp --dport 137 -j DROP
iptables -t raw -I PREROUTING -p udp --dport 137 -j DROP
iptables -t raw -I PREROUTING -p tcp --dport 138 -j DROP
iptables -t raw -I PREROUTING -p udp --dport 138 -j DROP
iptables -t raw -I PREROUTING -p tcp --dport 139 -j DROP
iptables -t raw -I PREROUTING -p udp --dport 139 -j DROP
- Filtering using
ebtables
-> annoying packets are seen and said blocked but are still received by any computer on the WLANebtables -I INPUT -i wlan1 -p ip --ip-protocol udp --ip-destination-port 137 -j DROP
ebtables -I INPUT -i wlan1 -p ip --ip-protocol udp --ip-destination-port 138 -j DROP
ebtables -I INPUT -i wlan1 -p ip --ip-protocol udp --ip-destination-port 139 -j DROP
ebtables -I FORWARD -i wlan1 -p ip --ip-protocol udp --ip-destination-port 137 -j DROP
ebtables -I FORWARD -i wlan1 -p ip --ip-protocol udp --ip-destination-port 138 -j DROP
ebtables -I FORWARD -i wlan1 -p ip --ip-protocol udp --ip-destination-port 139 -j DROP
ebtables -I OUTPUT -o wlan1 -p ip --ip-protocol udp --ip-destination-port 137 -j DROP
ebtables -I OUTPUT -o wlan1 -p ip --ip-protocol udp --ip-destination-port 138 -j DROP
ebtables -I OUTPUT -o wlan1 -p ip --ip-protocol udp --ip-destination-port 139 -j DROP
- Filtering using setting
ap_isolate=1
inhostapd.conf
-> annoying packets are blocked but clients can't communicate with each other's - Filtering using setting
ap_isolate=1
inhostapd.conf
plus addingiptables rules
-> clients can't communicate with each other'siptables -t filter -A FORWARD -i wlan1 -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i wlan1 -o wlan1 -j ACCEPT
The iptables -L -n -v --line-number
counters increment well as I send UDP broadcast frames from the test machine.
Same principle for ebtables
. This leads me to believe that my rules are good.
My current conclusion: iptables
(OSI level 3) and ebtables
(OSI level 2) see and block the traffic but don't act at the correct level since it seems hostapd
(OSI level 1) already broadcasted network packets to clients ont he WLAN.
Here is a little diagram of my test configuration:
- RaspberryPi has iptables + ebtables settings and live display of the counters via a
watch -n 1
. - Device 1 sends UDP frames in broadcast on the Wi-Fi subnet (a /24 network, so target IP x.y.z.255) to port 138
- Device 2 uses a Wireshark to sniff the network and sees these UDP frames arrive
+-----------------+
| Device 1 |
((| 172.18.0.240/24 |
+-----------------+
-----------+ +-----------------+
INTERNET |--------| 192.168.0.243 |
-----------+ | RaspberryPi |
| 172.18.0.1/24 |))
+-----------------+
+-----------------+
((| Device 2 |
| 172.18.0.235/24 |
+-----------------+
I hope I have described my situation accurately enough. If not, please ask me for more details.
Therefore, my question is: "How can I block only broadcast of UDP packets to ports 137,138,139 but still allowing clients on the same WLAN to communicate to each other's for everything else?"
Many thanks for your help.