[Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6

Jerry Vonau jvonau at shaw.ca
Wed Jan 12 11:46:57 EST 2011 

On Wed, 2011-01-12 at 10:03 -0600, Anna wrote:
> I like to leave the AP open on my test XS 0.6 at home, but ran into an
> issue with that yesterday.  I noticed the lights on my router blinking
> like crazy, so I did a live tail on the squid access log to see what
> was going on.
> 
> tail -f /var/log/squid/access.log
> 
<snip>
> And because I'm ticked off, and inspired by
> http://www.ex-parrot.com/pete/upside-down-ternet.html, it's time for
> some fun with iptables.  In /etc/sysconfig/olpc-scripts/iptables-xs.in
> I add a couple of lines like so:
> 
So I'm not the only one who likes fun with iptables, wish I could see
the expression on their face when I tried something like that. 

> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A PREROUTING -s 172.18.124.0/24 -p tcp --dport 80 -j DNAT --to
> 205.196.209.62
> @@SQUID@@
> -A POSTROUTING -o @@WAN@@ -j MASQUERADE
> COMMIT
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A FORWARD -s 172.18.124.0/24 -p tcp --dport 443 -j DROP

This should take care of the rest of the outgoing connections..
change to: 
-A FORWARD -s 172.18.124.0/24 -p tcp ! --dport 80 -j DROP

add:
-A FORWARD -s 172.18.124.0/24 -j DROP

> COMMIT
> 
> Restart dhcpd and iptables:
> service dhcpd restart
> service iptables restart
> 
> Now all unknown clients will have http traffic redirected to
> http://kittenwar.com and their https traffic is dropped.
> 
> Obviously this isn't a deterrent to someone who can use an ssh proxy
> for browsing, and it doesn't block traffic on other ports or
> protocols, but most of my neighbors aren't of the networking savvy
> sort (particularly the grotesque rednecks) and will likely conclude
> "this darn internet ain't workin' no more."  If I lived near MIT, this
> would not be an acceptable solution.  But I'm not terribly concerned
> many folks around here know much about packet sniffing or MAC
> spoofing.
> 

His machine might be owned/spam-bot... Try the trivial change above.

> When guests come over and want to look at something other than
> pictures of kittens, all I have to do is add the MAC to the list of
> known clients, restart dhcpd, and tell them to renew their IP.
> 
> At the very least, now I know how to keep XOs and non-XO clients on
> different IP ranges.
> 
> Anna Schoolfield
> Birmingham

Jerry

More information about the Server-devel mailing list