||8th December 2007 16:37
Iptables gateway with one lan adapter
I currently offer free wifi access to customers in my pub and I am trying to implement a layer 7 filter to block P2P filesharing.
The network looks like this (router_wifi does NAT):
--> debian-box (10.0.1.2)
--> (10.0.1.5) router_wifi (10.0.2.1) -> clients (10.0.2.x)
My plan is to use debian-box
to take care of the P2P blocking: I compiled ipp2p (tcp layer7 packet analyzer) but I can't figure out how to make the machine act as a gateway for the wifi clients.
All the examples I found online refer to the situation where the computer has two network interfaces, but I only have eth0.
This is what I got so far:
# Interface connected to Internet
# Address connected to LAN
# Clean old firewall
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# block P2P
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A OUTPUT -m ipp2p --ipp2p -j DROP
# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
||7th August 2008 12:02
I believe you'd have to add a 2nd lan card and connect the wifi router to it.
If your router has a firewall, can't you just use it to block the p2p ports?
In case you decide to charge for access, you can checkout Zonerider.
|All times are GMT +2. The time now is 11:48.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.