Stefan Monnier wrote: > You could also just use your OpenWRT box configured in the "normal" way, > except that your iptables will be setup to prevent setting up connection > from inside the LAN to the outside (while still being able to connect > to machines on the LAN from the outside). > > That presumes that you can *push* updates to your MPD server, tho (as > opposed to run "aptitude upgrade" on it and let it download the > packages). Yes, this is essentially how it currently is (well until I ripped it apart today to use openwrt), I block all port 80 traffic except my domain using iptables. Problem with this is people may think they have net access, and go to google.com, whereby it just hangs (until the nocatsplash timeout occurs and forces them to re-auth - and some trickery to forward them back to my page). I want it to be as foolproof as possible and just make it work invisibly to the user.
I don't really care much about updates on server, that would just be the icing on the cake. It is running off a 4gb usb key, so don't really want updates unless I feel I need them (mostly to install new software). I can always plug the server straight into my normal LAN for temporary net access. It seems a relatively simple problem of dns and iptables (I'd like to get rid of nocat, just adds complexity where I don't need it). Basically I think I need to wildcard all domains to be at my server's IP, destroy ability to resolve any addresses other than my domain (so that lookups fail and dnsmasq uses my fake address setting), and then block all egress traffic (in case they try to call an address by IP or port). This way stuff should not hang since it will resolve to a proper IP that is not blocked. At that point I can put an exception for my server and give it a method for resolving domains without querying the router. More input always welcome. Jeremy _______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
