Iptables gateway with one lan adapter

Discussion in 'Installation/Configuration' started by tsmr, Dec 8, 2007.

  1. tsmr

    tsmr New Member

    Hi.
    I currently offer free wifi access to customers in my pub and I am trying to implement a layer 7 filter to block P2P filesharing.
    The network looks like this (router_wifi does NAT):

    router (10.0.1.1)
    --> debian-box (10.0.1.2)
    --> (10.0.1.5) router_wifi (10.0.2.1) -> clients (10.0.2.x)

    My plan is to use debian-box to take care of the P2P blocking: I compiled ipp2p (tcp layer7 packet analyzer) but I can't figure out how to make the machine act as a gateway for the wifi clients.
    All the examples I found online refer to the situation where the computer has two network interfaces, but I only have eth0.
    This is what I got so far:

    Code:
    # Interface connected to Internet
    INTERNET="eth0"
    
    # Address connected to LAN
    LOCAL="10.0.0.0/16"
    
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    
    # Enable Forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # block P2P
    iptables -A FORWARD -m ipp2p --ipp2p -j DROP
    iptables -A INPUT -m ipp2p --ipp2p -j DROP
    iptables -A OUTPUT -m ipp2p --ipp2p -j DROP
    
    # set this system as a router for Rest of LAN
    iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
    iptables -A FORWARD -s $LOCAL -j ACCEPT
    
    # unlimited access to LAN
    iptables -A INPUT -s $LOCAL -j ACCEPT
    iptables -A OUTPUT -s $LOCAL -j ACCEPT
    
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP
    
     
  2. PermaNoob

    PermaNoob New Member

    I believe you'd have to add a 2nd lan card and connect the wifi router to it.

    If your router has a firewall, can't you just use it to block the p2p ports?

    In case you decide to charge for access, you can checkout Zonerider.
     

Share This Page