Block EAPOL Packets

TL;DR

This guide shows you how to block Extensible Authentication Protocol over LAN (EAPOL) packets on your network. This is useful for preventing rogue access points or mitigating certain types of cyber security attacks.

Blocking EAPOL Packets: A Step-by-Step Guide

1. Understand EAPOL
   • EAPOL packets are used in 802.1X authentication, commonly found on Wi-Fi networks.
   • Blocking them prevents devices from completing the authentication process.
   • Be careful! Blocking EAPOL will disrupt legitimate users if not done correctly.
2. Identify Your Network Interface

   You need to know which network interface you want to apply the block to.

   • On Linux, use ip addr or ifconfig. Look for the name of your wireless interface (e.g., wlan0).
   • On Windows, open Command Prompt and type ipconfig /all. Find the adapter you’re using.
3. Using iptables (Linux)

   iptables is a powerful firewall tool on Linux.

   1. Block incoming EAPOL packets:

      sudo iptables -A INPUT -p 802.1Q --dport 8809 -j DROP

      This command adds a rule to the INPUT chain, dropping all packets with protocol 802.1Q (EAPOL) and destination port 8809.

   2. Block outgoing EAPOL packets:

      sudo iptables -A OUTPUT -p 802.1Q --sport 8809 -j DROP

      This command adds a rule to the OUTPUT chain, dropping all packets with protocol 802.1Q and source port 8809.

   3. Save the rules:

      sudo iptables-save > /etc/iptables/rules.v4

      This saves your current iptables configuration so it persists after a reboot. The exact location of this file may vary depending on your distribution.

   4. List the rules to verify:

      sudo iptables -L

4. Using Windows Firewall with Advanced Security
   1. Open ‘Windows Firewall with Advanced Security’.
   2. Click on ‘Inbound Rules’ in the left pane.
   3. Click ‘New Rule…’ in the right pane.
   4. Select ‘Custom’ and click ‘Next’.
   5. On the ‘Protocol and Ports’ page:
      • Protocol type: Select ‘Ethernet (IEEE 802.3)’.
      • Specific ports: Enter ‘8809’.
   6. On the ‘Scope’ page, you can specify which IP addresses or subnets to apply the rule to. Leave blank for all addresses.
   7. On the ‘Action’ page, select ‘Block the connection’.
   8. On the ‘Profile’ page, choose when to apply the rule (Domain, Private, Public).
   9. Give the rule a descriptive name and click ‘Finish’.
   10. Repeat steps 2-7 for ‘Outbound Rules’.
5. Using Wireshark to Verify

   Use Wireshark to confirm that EAPOL packets are being blocked.

   • Start capturing traffic on your network interface.
   • Attempt to connect to a Wi-Fi network using 802.1X authentication.
   • Filter for ‘eapol’ in Wireshark. You should not see any EAPOL packets if the block is working correctly.
6. Reverting the Changes

   If you need to re-enable EAPOL, remove the iptables rules or disable the Windows Firewall rules you created.

   • iptables: Use sudo iptables -D INPUT ... and sudo iptables -D OUTPUT ... (replace ‘…’ with the original rule). Then save the changes.
   • Windows Firewall: Disable or delete the rules you created in steps 2-7.