Limiting NFS And Samba Connections
I use the same subnet for my LAN wired and wireless networks. The wireless network uses a pass phrase and WPA2+AES encryption.
I provide a separate wireless network on my router for house guests. The guest network requires a pass phrase and uses WPA2+AES encryption. I do not hide the SSID in either wireless network. Guests then know that two wireless networks exist, but they cannot connect to either because of the pass phrases.
I do not expect house guests to use any wired ports in the house. If they need a wired connection, I have two VLANs configured. Both VLAN subnets are different from my LAN and guest wireless subnets.
Through this approach guests cannot discover the subnet of my LAN.
Generally I trust the people who visit long term. Yet I accept human nature. At times humans can be a tad too curious. I do not have eyes in the back of my head and cannot monitor people 24/7.
I use static IP addresses in my LAN. With a home network I never felt compelled to use DHCP and stayed with the static addresses. Even with virtual machines, at most I might have a dozen systems on the LAN. I could use DHCP and assign permanent DHCP addresses, but I like the simplicity of static addresses.
This design helps me hide my LAN systems from curious house guests.
Most people use and are only familiar with DHCP. Curious house guests would have to know I am using static IP addresses. They would have to know how to reconfigure their computers for static IP addresses, which most do not. They need to know the subnet I am using.
Usually I do not enable DHCP on the router, but sometimes I enable DHCP for testing. I might forget to disable DHCP after testing. Should somebody get a tad too curious and connect in this manner while I have DHCP enabled, they would discover the subnet of the LAN.
Hardly the end of the world, but I decided to throw a little fun into my configuration.
I have both NFS and Samba configured on my LAN server to allow connections only from within a specific range of the subnet. This range includes the static IP addresses.
I configured my router to provide DHCP addresses outside the preconfigured range. This design prevents curious house guests from trying to snoop the server and private files by connecting to NFS or Samba services.
Five server files are involved:
The /etc/hosts file contains the static IP addresses and is replicated to all trusted LAN devices.
The /etc/exports and /etc/samba/smb.conf files use Classless Inter-Domain Routing (CIDR) notation. I use a /25 notation to limit the subnet range from 0 to 127. The directive looks like this:
The /etc/hosts.allow file does not support CIDR, instead using masking. The directive in that file looks like this:
Firewall rules drop ICMP packets and ping requests outside the allowed subnet range.
iptables -A INPUT -p icmp -s 192.168.1.0/25 --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j DROP iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
The DD-WRT configuration is performed in the Setup/Basic/Network Address Server Settings (DHCP) section.
Start IP Address: 192.168.1.129
Basically then, IP addresses from 192.168.1.0 to 192.168.1.128 are trusted systems and IP addresses from 192.168.1.129 to 192.168.1.255 are untrusted. This flexibility allows for various testing routines.
If I forget to disable DHCP on the router, curious house guests who connect to one of the wired ports in the house will be assigned a DHCP address outside the LAN server’s allowed range. Browsing the network for network shares will fail. At most curious house guests only discover the subnet. They cannot discover the IP addresses of any devices by pinging.
Is this strategy foolproof? Hardly. The sand in the gears is sufficient to discourage curious visitors.