1

I setup a Raspberry Pi connecting to my home router using the eth0 interface and broadcast a SSID via wlan0 interface simply by installing the RaspAP (https://raspap.com).

Everything working as expected.

However, I would like this newly created SSID only allow device to access a specific IP address (e.g. 1.2.3.4 for my kids' school web server).

I tried to configure the UFW rules

sudo ufw default deny outgoing

sudo ufw allow from 10.3.141.0/8 to 1.2.3.4

I found that the rule only applies to the pi itself but the iPad can still access anywhere.

Any thoughts is welcome.

Ivan Fong
  • 11
  • 1

2 Answers2

2

I do not use ufw so I don't know how to use it. But it is a front-end for iptables, to make managing a Netfilter firewall easier. With iptables you can define rules for the INPUT, OUTPUT and FORWARD chains. You are using

sudo ufw default deny outgoing

that should be a rule for the OUTPUT chain. You have to use rules for the FORWARD chain. Look at the synonym for the ufw rule.

Ingo
  • 42,107
  • 20
  • 85
  • 197
0

Use dnsmasq to whitelist the domains/IPs you want and deny access to everything else. Edit the file /etc/dnsmasq.d/090_raspap.conf and add the following:

address=/#/127.0.0.1
server=/some-website.com/9.9.9.9

The address line tells dnsmasq to redirect all sites to localhost. The server directive makes only certain sites use Quad9's DNS server at 9.9.9.9. You can add any number of these server lines to build a custom whitelist.

Restart dnsmasq with RaspAP or from the shell and check its status:

sudo systemctl restart dnsmasq.service
sudo systemctl status dnsmasq.service

Connect a client to the AP and confirm that your whitelist works.

billz
  • 41
  • 5