I like to leave the AP open on my test XS 0.6 at home, but ran into an issue with that yesterday. I noticed the lights on my router blinking like crazy, so I did a live tail on the squid access log to see what was going on.<br>
<br>tail -f /var/log/squid/access.log<br><br>And oh, my goodness. One of my neighbors was on there checking his Facebook, setting up his fantasy basketball team, and, ahem, looking at copious amounts of adult material. First I checked to see if I knew who it was via the Facebook user id I found in the squid log. No, I had never met him, but Mr. Frank <redacted> strikes quite the caricature of a aging redneck fratboy. In typical passive aggressive Southern lady style, I'm going to teach him a lesson.<br>
<br>I don't want to put encryption on the AP or fool around with content filtering, so I'm going to use some dhcp tweaks and iptables to put up an obstacle to web browsing by unknown clients.<br><br>Edits for /etc/sysconfig/olpc-scripts/dhcpd.conf.1<br>
<br>Under the subnet declaration, I added a class definition for the XOs. This works for the two XO 1.5 units I've got as well, but I'd verify the MAC on any of those just to be sure.<br><br>subnet 172.18.96.0 netmask 255.255.224.0 {<br>
<br> class "xo" {<br> match if substring (hardware,1,3) = 00:17:c4;<br> }<br><br>Since I'm going to separate things into pools by range, I comment out this line:<br><br>#range 172.18.96.2 172.18.125.254;<br>
<br>Beneath the lease times, I add my pools. Adjust your ranges as needed.<br><br> # Address pool for just XOs<br> pool {<br> allow members of "xo";<br> range 172.18.96.2 172.18.123.254;<br>
}<br> # Address Pool for unknown clients<br> pool {<br> range 172.18.124.2 172.18.124.254;<br> deny members of "xo";<br> deny known-clients;<br> allow unknown-clients;<br> }<br>
# Address pool for known clients<br> pool {<br> range 172.18.125.2 172.18.125.254;<br> deny members of "xo";<br> deny unknown-clients;<br> }<br><br>Make sure all that is within the ending bracket of the subnet.<br>
<br>At the very bottom of the file, below everything else, I add the known clients. <br><br># Non-XO stuff on dynamic range <a href="http://172.18.125.0/24">172.18.125.0/24</a><br>host anna-eeepc-1 {hardware ethernet 00:15:af:ec:9e:46;}<br>
host anna-eeepc-2 {hardware ethernet 00:22:43:2e:fe:79;}<br>host tyler-eeepc {hardware ethernet 00:15:af:ec:96:1f;}<br><br>And because I'm ticked off, and inspired by <a href="http://www.ex-parrot.com/pete/upside-down-ternet.html">http://www.ex-parrot.com/pete/upside-down-ternet.html</a>, it's time for some fun with iptables. In /etc/sysconfig/olpc-scripts/<a href="http://iptables-xs.in">iptables-xs.in</a> I add a couple of lines like so:<br>
<br>*nat<br>:PREROUTING ACCEPT [0:0]<br>:POSTROUTING ACCEPT [0:0]<br>:OUTPUT ACCEPT [0:0]<br>-A PREROUTING -s <a href="http://172.18.124.0/24">172.18.124.0/24</a> -p tcp --dport 80 -j DNAT --to 205.196.209.62<br>@@SQUID@@<br>
-A POSTROUTING -o @@WAN@@ -j MASQUERADE<br>COMMIT<br>*filter<br>:INPUT ACCEPT [0:0]<br>:FORWARD ACCEPT [0:0]<br>:OUTPUT ACCEPT [0:0]<br>-A FORWARD -s <a href="http://172.18.124.0/24">172.18.124.0/24</a> -p tcp --dport 443 -j DROP<br>
COMMIT<br><br>Restart dhcpd and iptables:<br>service dhcpd restart<br>service iptables restart<br><br>Now all unknown clients will have http traffic redirected to <a href="http://kittenwar.com">http://kittenwar.com</a> and their https traffic is dropped.<br>
<br>Obviously this isn't a deterrent to someone who can use an ssh proxy for browsing, and it doesn't block traffic on other ports or protocols, but most of my neighbors aren't of the networking savvy sort (particularly the grotesque rednecks) and will likely conclude "this darn internet ain't workin' no more." If I lived near MIT, this would not be an acceptable solution. But I'm not terribly concerned many folks around here know much about packet sniffing or MAC spoofing.<br>
<br>When guests come over and want to look at something other than pictures of kittens, all I have to do is add the MAC to the list of known clients, restart dhcpd, and tell them to renew their IP.<br><br>At the very least, now I know how to keep XOs and non-XO clients on different IP ranges.<br>
<br>Anna Schoolfield<br>Birmingham<br><br>