HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=4)
-   -   Iptables gateway with one lan adapter (http://www.howtoforge.com/forums/showthread.php?t=18186)

tsmr 8th December 2007 16:37

Iptables gateway with one lan adapter
 
Hi.
I currently offer free wifi access to customers in my pub and I am trying to implement a layer 7 filter to block P2P filesharing.
The network looks like this (router_wifi does NAT):

router (10.0.1.1)
--> debian-box (10.0.1.2)
--> (10.0.1.5) router_wifi (10.0.2.1) -> clients (10.0.2.x)

My plan is to use debian-box to take care of the P2P blocking: I compiled ipp2p (tcp layer7 packet analyzer) but I can't figure out how to make the machine act as a gateway for the wifi clients.
All the examples I found online refer to the situation where the computer has two network interfaces, but I only have eth0.
This is what I got so far:

Code:

# Interface connected to Internet
INTERNET="eth0"

# Address connected to LAN
LOCAL="10.0.0.0/16"

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# block P2P
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A OUTPUT -m ipp2p --ipp2p -j DROP

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP


PermaNoob 7th August 2008 12:02

I believe you'd have to add a 2nd lan card and connect the wifi router to it.

If your router has a firewall, can't you just use it to block the p2p ports?

In case you decide to charge for access, you can checkout Zonerider.


All times are GMT +2. The time now is 07:30.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.