Stefan Monnier wrote:
> You could also just use your OpenWRT box configured in the "normal" way,
> except that your iptables will be setup to prevent setting up connection
> from inside the LAN to the outside (while still being able to connect
> to machines on the LAN from the outside).
>
> That presumes that you can *push* updates to your MPD server, tho (as
> opposed to run "aptitude upgrade" on it and let it download the
> packages).
Yes, this is essentially how it currently is (well until I ripped it 
apart today to use openwrt), I block all port 80 traffic except my 
domain using iptables. Problem with this is people may think they have 
net access, and go to google.com, whereby it just hangs (until the 
nocatsplash timeout occurs and forces them to re-auth - and some 
trickery to forward them back to my page). I want it to be as foolproof 
as possible and just make it work invisibly to the user.

I don't really care much about updates on server, that would just be the 
icing on the cake. It is running off a 4gb usb key, so don't really want 
updates unless I feel I need them (mostly to install new software). I 
can always plug the server straight into my normal LAN for temporary net 
access.

It seems a relatively simple problem of dns and iptables (I'd like to 
get rid of nocat, just adds complexity where I don't need it). Basically 
I think I need to wildcard all domains to be at my server's IP, destroy 
ability to resolve any addresses other than my domain (so that lookups 
fail and dnsmasq uses my fake address setting), and then block all 
egress traffic (in case they try to call an address by IP or port). This 
way stuff should not hang since it will resolve to a proper IP that is 
not blocked. At that point I can put an exception for my server and give 
it a method for resolving domains without querying the router.

More input always welcome.

Jeremy
_______________________________________________
mlug mailing list
[email protected]
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca

Reply via email to