1

I have a Linux machine that uses Hostapd to serve a WiFi hotspot. I also have a Raspberry Pi that connects to this WiFi hotspot as a DHCP Client. The Linux machine has a Cellular interface and shares this internet connection with the Raspberry Pi, using ipv4 forwarding in the Kernel. Furthermore, the machine has a Wireguard interface named 'wg0'. I can SSH into the Raspberry Pi from the Linux Machine and successfully ping 10.10.10.1, and the ip address of the cellular interface. I can also ping the Wireguard interface at 10.10.0.3. enter image description here

What I want is to block the ability of the Raspberry Pi to ping the Wireguard interface at 10.10.0.3. I would like the Raspberry Pi to be unaware of the wg0 inteface's existence.

I thought I could block all traffic inbound to wg0 from the 10.10.10.0/24 subnet with the following iptables rule:

iptables -I INPUT 1 -i wg0 -s 10.10.10.0/24 -j DROP

However, the Pi can still ping 10.10.0.3. How can I make the wg0 interface invisible to connected clients on the wan0 hotspot?

Improve this question

1 Answer 1

Reset to default
3

Here's how to do this when using iptables.

  • Drop traffic to the host itself for destination 10.10.0.3:

    The packet enters from the wan0 interface, not from the wg0 interface. The source address doesn't really matter: Device 2 is already identified by the input interface. And just state the destination:

    iptables -I INPUT 1 -i wan0 -d 10.10.0.3 -j DROP

    It's not possible with iptables to do this kind of filter only with the wg0 interface name without stating the 10.10.0.3 address because wg0 will is not an output interface (there's no output interface for the INPUT path).

  • Also drop traffic forwarded from wan0 to wg0 (this time wg0 is the output interface):

    iptables -I FORWARD -i wan0 -o wg0 -j DROP

  • And to be thorough prevent ARP probes to get an answer

    Linux follows the weak host model and also sort-of applies this model for ARP: by default Linux will also reply to ARP requests from other IP LANs and/or interface:

    arp_ignore - INTEGER

    Define different modes for sending replies in response to
received ARP requests that resolve local target IP addresses:

- 0 - (default): reply for any local target IP address, configured
  on any interface
- 1 - reply only if the target IP address is local address
  configured on the incoming interface
- 2 - reply only if the target IP address is local address
  configured on the incoming interface and both with the
  sender's IP address are part from same subnet on this interface

    [...]

    So even with the address firewalled at the IP level, this address can still be discovered at the ARP level by running on Device 2:

    arping 10.10.0.3

    Using arptables or nft to firewall such ARP request would be overkill. One can just tell the kernel to change its behavior for the wan0 interface:

    sysctl -w net.ipv4.conf.wan0.arp_ignore=1

    Value 1 is enough, though 2 could have been chosen.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .