[Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6

John Watlington wad at laptop.org
Wed Jan 12 21:50:10 EST 2011 

The best iptables hack like this I've seen routed "extraneous"
connections through a transparent web proxy which flipped
all images (swapped left and right).

Cheers,
wad

On Jan 12, 2011, at 11:46 AM, Jerry Vonau wrote:

> On Wed, 2011-01-12 at 10:03 -0600, Anna wrote:
>> I like to leave the AP open on my test XS 0.6 at home, but ran into an
>> issue with that yesterday.  I noticed the lights on my router blinking
>> like crazy, so I did a live tail on the squid access log to see what
>> was going on.
>> 
>> tail -f /var/log/squid/access.log
>> 
> <snip>
>> And because I'm ticked off, and inspired by
>> http://www.ex-parrot.com/pete/upside-down-ternet.html, it's time for
>> some fun with iptables.  In /etc/sysconfig/olpc-scripts/iptables-xs.in
>> I add a couple of lines like so:
>> 
> So I'm not the only one who likes fun with iptables, wish I could see
> the expression on their face when I tried something like that. 
> 
>> *nat
>> :PREROUTING ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A PREROUTING -s 172.18.124.0/24 -p tcp --dport 80 -j DNAT --to
>> 205.196.209.62
>> @@SQUID@@
>> -A POSTROUTING -o @@WAN@@ -j MASQUERADE
>> COMMIT
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A FORWARD -s 172.18.124.0/24 -p tcp --dport 443 -j DROP
> 
> This should take care of the rest of the outgoing connections..
> change to: 
> -A FORWARD -s 172.18.124.0/24 -p tcp ! --dport 80 -j DROP
> 
> add:
> -A FORWARD -s 172.18.124.0/24 -j DROP
> 
>> COMMIT
>> 
>> Restart dhcpd and iptables:
>> service dhcpd restart
>> service iptables restart
>> 
>> Now all unknown clients will have http traffic redirected to
>> http://kittenwar.com and their https traffic is dropped.
>> 
>> Obviously this isn't a deterrent to someone who can use an ssh proxy
>> for browsing, and it doesn't block traffic on other ports or
>> protocols, but most of my neighbors aren't of the networking savvy
>> sort (particularly the grotesque rednecks) and will likely conclude
>> "this darn internet ain't workin' no more."  If I lived near MIT, this
>> would not be an acceptable solution.  But I'm not terribly concerned
>> many folks around here know much about packet sniffing or MAC
>> spoofing.
>> 
> 
> His machine might be owned/spam-bot... Try the trivial change above.
> 
>> When guests come over and want to look at something other than
>> pictures of kittens, all I have to do is add the MAC to the list of
>> known clients, restart dhcpd, and tell them to renew their IP.
>> 
>> At the very least, now I know how to keep XOs and non-XO clients on
>> different IP ranges.
>> 
>> Anna Schoolfield
>> Birmingham
> 
> Jerry
> 
> _______________________________________________
> Server-devel mailing list
> Server-devel at lists.laptop.org
> http://lists.laptop.org/listinfo/server-devel

More information about the Server-devel mailing list