Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
Roland Roland wrote: Hi All, I'm lately suffering from Quota abuse at home. believe it or not my teenagers are eating through my allowed quota. Hence, i'm thinking of setting up a centos machine to work as such: HDSL modem(natted to an onboard dhcp service for lan users) - Centos - Switch - LAN users Hw specs: 3 GB ram 3.0 core 2 duo 2 X 1 TB HDD 2 X 1 Gb NIC Centos will contain the following: 1. DHCP # is there a way i could use the modem's dhcp service instead? or using a centos based dhcp service is better? 2. Samba # sharing files for lan users 3. Squid 4. clamav 5. OpenRadius # wifi authentication 6. knockd service (anyone tried it? i read about this service a few weeks ago and am wondering if it's worth giving it a shot... for public access to the server ) 6. Things which are needed : a. Ability to separate Wireless router from LAN. (thinking of vlans though as i have a dumb switch am thinking of adding a 3d NIC to my desktop and dedicating it to the wifi ? ) b. Accountablity of quota and bandwidth used (i was thinking of SARG and SQstat for squid) c. using some sort of shell script that will parse squid logs (mysar will help me access squid logs through mysql) and if someone bypassed their allowed quota for the day they will be moved to a delay pool with lower bandwidth. As you noticed above, my whole connection management is relying on squid, i'm worried that it will process only traffic that's forwarded to port 80 instead of everything going through the server. any idea if thats the case? I previously thought of untangled, and IPCOp, though i don't want a standalone router as i'd like to be able to use VirtualBox over it occasionally. waiting for your advice about the above setup, keep in mind that i don't mind changing the setup if there's something better to use, actually i do prefer it. Best, --Roland Check out ClearOS. It's based on CentOS and can install extra CentOS packages you need. If you add CentOS repositories in yum config you could add KVM instead of VirtualBox, or headless VirtualBox it that is possible. Almost all you need is there and packaged in nice Web interface. I also always add Webmin to it. Ljubomir ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
Also worth considering is to upgrade the subscription to unlimited internet access. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
Fajar Priyanto wrote: Also worth considering is to upgrade the subscription to unlimited internet access. In Australia for example, and other remote locations have mandatory caps because they get their internet via limited throughput links (satellite or old under the see cables?), so he might not have a choice. Ljubomir ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
Roland Roland wrote on Mon, 2 May 2011 15:09:00 +0300: As you noticed above, my whole connection management is relying on squid, i'm worried that it will process only traffic that's forwarded to port 80 instead of everything going through the server. any idea if thats the case? Correct. The easy solution is to ban bittorrent and other P2P services. There's a 99% chance that this is what eats up your traffic. And youtube. Banning P2P lets you sleep better in the night, too. Kai ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
Fajar Priyanto wrote: Also worth considering is to upgrade the subscription to unlimited internet access. Or consider checking into just what your teenagers are downloading that's gigabytes and gigabytes mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
Roland Roland R_O_L_A_N_D@... writes: Hence, i'm thinking of setting up a centos machine to work as such: HDSL modem(natted to an onboard dhcp service for lan users) - Centos - Switch - LAN users Hw specs: 3 GB ram 3.0 core 2 duo 2 X 1 TB HDD 2 X 1 Gb NIC Your proposed configuration is pretty close to what I've been running for several years (my original server had an AMD K-6 and ran Red Hat 6). The hardware is way more than sufficient. I have CentOS doing the natting instead of the modem. Just use the modem as a pass through. Pretty much everything I've done is documented on my blog at http://davenjudy.org/davesBlog. I describe what I've done on the blog and that way I document what I did for my future use and someone else might be able to use it. Centos will contain the following: 1. DHCP # is there a way i could use the modem's dhcp service instead? or using a centos based dhcp service is better? 2. Samba # sharing files for lan users See my blog. 3. Squid 4. clamav Don't do clamav since I even got my wife to use Linux. No real need for squid. 5. OpenRadius # wifi authentication See my blog. 6. knockd service (anyone tried it? i read about this service a few weeks ago and am wondering if it's worth giving it a shot... for public access to the server ) I just used public keys for ssh and disabled password login. I also suggest you move the sshd port to something non-standard just to cut down on the fruitless attempts to login there. The script kiddies generally don't scan to see if sshd is listening on a non-standard port. 6. Things which are needed : a. Ability to separate Wireless router from LAN. (thinking of vlans though as i have a dumb switch am thinking of adding a 3d NIC to my desktop and dedicating it to the wifi ? ) 3rd NIC is probably the easiest with a crossover cable to the WiFi AP. That way you can easily set up specific firewall rules for the WiFi traffic. b. Accountablity of quota and bandwidth used (i was thinking of SARG and SQstat for squid) c. using some sort of shell script that will parse squid logs (mysar will help me access squid logs through mysql) and if someone bypassed their allowed quota for the day they will be moved to a delay pool with lower bandwidth. Hopefully, someone else can help you with these. Most of my recent blog posts deal with setting up IPv6. You'll need to look through the CentOS server set up and maintenance notes section for some of the older articles (DHCP, RADIUS, etc.). Cheers, Dave ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
On 05/02/11 6:31 AM, Kai Schaetzl wrote: Correct. The easy solution is to ban bittorrent and other P2P services. not as easy as it sounds. those services are remarkably agile at dodging firewall rules ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
John R Pierce wrote: On 05/02/11 6:31 AM, Kai Schaetzl wrote: Correct. The easy solution is to ban bittorrent and other P2P services. not as easy as it sounds. those services are remarkably agile at dodging firewall rules P2P always happens on much higher ports and if you create rules that block destination ports higher then 1024, with exceptions of VNC, etc ports, you can pretty much limit abuse. Also worth noting is iptables rule for limiting the number of connections for those higher ports, and using HTB bandwidth limiting with giving priority to regular traffic. Ljubomir, 7 years small WISP. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
Correct. The easy solution is to ban bittorrent and other P2P services. not as easy as it sounds. those services are remarkably agile at dodging firewall rules At home it's a bit easier. You can do stuff at the firewall but any parent should have their kid's computer's root password so they can get on whenever they need to. And last I checked there weren't any laws that prohibited parents from conducting random unannounced inspections of the kid(s) machines. -- Drew Nothing in life is to be feared. It is only to be understood. --Marie Curie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
On Mon, 2 May 2011 20:21:19 +0800 Fajar Priyanto fajar...@arinet.org wrote: Also worth considering is to upgrade the subscription to unlimited internet access. 1. There's no such thing as unlimited. There are always limits. You're thinking of flat rate. 2. Flat rate isn't available in every country. 3. Irrespective of cost, sometimes heavy downloading can eat into a connection's bandwidth and kill the connection for everyone else. In fact, upgrading to a flat rate plan encourages this kind of behaviour more. -- Spiro Harvey Knossos Networks Ltd (04) 460-2531 : (021) 295-1923 www.knossos.net.nz signature.asc Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
3. Irrespective of cost, sometimes heavy downloading can eat into a connection's bandwidth and kill the connection for everyone else. In fact, upgrading to a flat rate plan encourages this kind of behaviour more. If the ISP offer's flat rate or capped flat rate services and can't handle the load, that's their problem, not ours. It just means they didn't do their infrastructure capacity planning properly. -- Drew Nothing in life is to be feared. It is only to be understood. --Marie Curie This started out as a hobby and spun horribly out of control. -Unknown ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
On 5/2/2011 4:06 PM, Spiro Harvey wrote: Also worth considering is to upgrade the subscription to unlimited internet access. 1. There's no such thing as unlimited. There are always limits. You're thinking of flat rate. 2. Flat rate isn't available in every country. 3. Irrespective of cost, sometimes heavy downloading can eat into a connection's bandwidth and kill the connection for everyone else. In fact, upgrading to a flat rate plan encourages this kind of behaviour more. It's not like you are going to wear out the wires or the world will run out of bits. What you need is to encourage your ISP to provide capacity at a reasonable price. Some places do, some don't. On the other hand, unexpected bandwidth usage may indicate that you have a virus on the LAN or some peer-to-peer fileshare has accidentally been enabled. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
On Mon, 2 May 2011 14:19:13 -0700 Drew drew@gmail.com wrote: 3. Irrespective of cost, sometimes heavy downloading can eat into a connection's bandwidth and kill the connection for everyone else. In fact, upgrading to a flat rate plan encourages this kind of behaviour more. If the ISP offer's flat rate or capped flat rate services and can't handle the load, that's their problem, not ours. It just means they didn't do their infrastructure capacity planning properly. I meant everyone else on that one connection, not the ISPs other customers. If you have a 3Mbit link, you are restricted to 3Mbit bandwidth. If someone is downloading hell for leather, then this will affect everyone else sharing that connection. -- Spiro Harvey Knossos Networks Ltd (04) 460-2531 : (021) 295-1923 www.knossos.net.nz signature.asc Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos as Gateway ? (Router/transparent proxy)
On Tue, May 3, 2011 at 12:33 AM, John R Pierce pie...@hogranch.com wrote: On 05/02/11 6:31 AM, Kai Schaetzl wrote: Correct. The easy solution is to ban bittorrent and other P2P services. not as easy as it sounds. those services are remarkably agile at dodging firewall rules Layer 7 net filtering may help [1] Also, IMO the HW spec, that the OP has posted, is an overkill. I am using ZeroShell [2] in production (ALIX hardware). It has almost all the features that the OP has listed in his wish list + L7 filter capabilities but I have not used it. Wi-Fi support - it uses MadWi-Fi. In most cases, a Captive Portal is enough deterrent for people to curb their promiscuous surfing habits :) [1] http://l7-filter.clearfoundation.com/ - not sure if it is incorporated into ClearOS. [2] http://www.zeroshell.net. -- Arun Khan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos