Re: [Server-devel] A quick networking question
Thanks Wad you fixed the problem: We did not know squid was running on the XS Tony Anderson installed (0.6 derivative I believe) early autumn 2011. Why our XS continue to resolve offer free/accurate DNS to any random laptop that connects over Wifi is disconcerting, if anyone can explain? But at least the critical problem of giving away free web access (to rich visitors, rather than Haitian XO users) is solved for now! On 2/28/2012 4:43 PM, John Watlington wrote: On Feb 28, 2012, at 1:05 PM, Holt wrote: Clarif: port 80 is (unfort) forwarded thru the XS, for all laptops that connect over Wifi. Traffic across all other ports (incl 443 = https) is thankfully blocked, though I've no idea why/how unfortunately ;) Sounds like your problem is squid. Your firewall is probably blocking FORWARDS from non-XOs, but routing all http traffic into squid. You instead need to only route XO http traffic into squid. What version school server software ? Cheers, wad On 2/28/2012 12:49 PM, Holt wrote: On 2/28/2012 12:29 PM, George Hunt wrote: In Haiti, Adam and I have been trying to get a school server online. We're finding that volunteers are going through the school server to the internet with their laptops, and he wants to turn that off, at least for now. I've turned off /proc/net...ip_forward and verified that there is no masquerade enabled in the iptables. But that's not enough!! I wasn't sure that the vpn wasn't setting up a gateway, so I had him turn off the vpn. But still the school server was routing to the 3G usb modem dongle even with the vpn pipe closed down. How does the school server act like a router? It may be related to the ppp connection and wdial configuration. But I'm stumped. But I'm trying to bring myself up to speed quickly because he really wants to get it turned off. Any ideas on what to try next? I'm afraid the solution is going to be to pull out the 3g dongle. Interestingly the XS(*) creates an open path for any random non-XO laptop to access the web, but seems to block non-web traffic like ssh and IMAP. In any case, even if it's just forwarding port 80 and 443 (?) we just cannot afford to become a free ISP here in semi-rural Haiti, given so many visitors to our school especially. (*) XS as set up by Tony Anderson early autumn 2011, and currently maintained by George Hunt I. -- Help kids everywhere map their world, at http://olpcMAP.net ! ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel -- Help kids everywhere map their world, at http://olpcMAP.net ! ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] A quick networking question
Hello: On Wed, 29 Feb 2012 07:36:27 -0500, Holt h...@laptop.org wrote: Thanks Wad you fixed the problem: We did not know squid was running on the XS Tony Anderson installed (0.6 derivative I believe) early autumn 2011. The XS redirects all traffic coming from the LAN to squid. You can check out the config at /etc/sysconfig/iptables This is done for all conections from the LAN interface if i'm not mistaken (it doesn't filter subnets or anything) Why our XS continue to resolve offer free/accurate DNS to any random laptop that connects over Wifi is disconcerting, if anyone can explain? The firewall is set up to allow all conections directed to it.. (iptables INPUT chain).. You got to block other ports when you set upt ip_forward to 0, because only port 80 is redirected to squid, the rest is forwarded But at least the critical problem of giving away free web access (to rich visitors, rather than Haitian XO users) is solved for now! The secure way of filtering is getting the XOs MAC, and configure the DHCP (to lease a specific IP allways) and to allow forwarding and redirecting ONLY for the MAC with the correspondant IP. This is very fine grained work though, there could be other methods. Cheers -- Rolf ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] A quick networking question
The example DHCP configuration linked likely should be updated to support multiple MAC address ranges. In addition to the 00:17:C4 prefix mentioned in that script, newer XOs may come with Wifi cards that have a 20:7C:8F prefix, and I'm looking at an XO that has a 68:A3:C4 prefix. On Tue, Feb 28, 2012 at 4:38 PM, Anna ascho...@gmail.com wrote: As long as the volunteers connecting with their laptops aren't familiar with MAC spoofing, you can tell the XS's dhcp server to only hand out IP addresses to XOs. Instead of fooling with the bit about redirecting all http traffic for unknown clients to kittenwar.net, leave that bit out or redirect them to 172.18.0.1 so they can access the local XS but not get outside. Here's the writeup: http://lists.laptop.org/pipermail/server-devel/2011-January/005341.html Anyway, it's a thought. Anna Schoolfield Birmingham ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] A quick networking question
On Feb 29, 2012, at 10:05 AM, Samuel Greenfeld wrote: The example DHCP configuration linked likely should be updated to support multiple MAC address ranges. In addition to the 00:17:C4 prefix mentioned in that script, newer XOs may come with Wifi cards that have a 20:7C:8F prefix, and I'm looking at an XO that has a 68:A3:C4 prefix. The days of simple MAC filtering are probably over.As Samuel points out, there are at least two sources of WLAN modules for XO-1.5/1.75 laptops, and more might be introduced in the future. There are well established protocols and services for authenticating access to a network (802.1x). Supposedly wpa_supplicant already supports some of them ? It is time to start using one of them. Cheers, wad ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] A quick networking question
Hi, In Haiti, Adam and I have been trying to get a school server online. We're finding that volunteers are going through the school server to the internet with their laptops, and he wants to turn that off, at least for now. I've turned off /proc/net...ip_forward and verified that there is no masquerade enabled in the iptables. But that's not enough!! I wasn't sure that the vpn wasn't setting up a gateway, so I had him turn off the vpn. But still the school server was routing to the 3G usb modem dongle even with the vpn pipe closed down. How does the school server act like a router? It may be related to the ppp connection and wdial configuration. But I'm stumped. But I'm trying to bring myself up to speed quickly because he really wants to get it turned off. Any ideas on what to try next? I'm afraid the solution is going to be to pull out the 3g dongle. George ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] A quick networking question
On 2/28/2012 12:29 PM, George Hunt wrote: In Haiti, Adam and I have been trying to get a school server online. We're finding that volunteers are going through the school server to the internet with their laptops, and he wants to turn that off, at least for now. I've turned off /proc/net...ip_forward and verified that there is no masquerade enabled in the iptables. But that's not enough!! I wasn't sure that the vpn wasn't setting up a gateway, so I had him turn off the vpn. But still the school server was routing to the 3G usb modem dongle even with the vpn pipe closed down. How does the school server act like a router? It may be related to the ppp connection and wdial configuration. But I'm stumped. But I'm trying to bring myself up to speed quickly because he really wants to get it turned off. Any ideas on what to try next? I'm afraid the solution is going to be to pull out the 3g dongle. Interestingly the XS(*) creates an open path for any random non-XO laptop to access the web, but seems to block non-web traffic like ssh and IMAP. In any case, even if it's just forwarding port 80 and 443 (?) we just cannot afford to become a free ISP here in semi-rural Haiti, given so many visitors to our school especially. (*) XS as set up by Tony Anderson early autumn 2011, and currently maintained by George Hunt I. -- Help kids everywhere map their world, at http://olpcMAP.net ! ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] A quick networking question
Clarif: port 80 is (unfort) forwarded thru the XS, for all laptops that connect over Wifi. Traffic across all other ports (incl 443 = https) is thankfully blocked, though I've no idea why/how unfortunately ;) On 2/28/2012 12:49 PM, Holt wrote: On 2/28/2012 12:29 PM, George Hunt wrote: In Haiti, Adam and I have been trying to get a school server online. We're finding that volunteers are going through the school server to the internet with their laptops, and he wants to turn that off, at least for now. I've turned off /proc/net...ip_forward and verified that there is no masquerade enabled in the iptables. But that's not enough!! I wasn't sure that the vpn wasn't setting up a gateway, so I had him turn off the vpn. But still the school server was routing to the 3G usb modem dongle even with the vpn pipe closed down. How does the school server act like a router? It may be related to the ppp connection and wdial configuration. But I'm stumped. But I'm trying to bring myself up to speed quickly because he really wants to get it turned off. Any ideas on what to try next? I'm afraid the solution is going to be to pull out the 3g dongle. Interestingly the XS(*) creates an open path for any random non-XO laptop to access the web, but seems to block non-web traffic like ssh and IMAP. In any case, even if it's just forwarding port 80 and 443 (?) we just cannot afford to become a free ISP here in semi-rural Haiti, given so many visitors to our school especially. (*) XS as set up by Tony Anderson early autumn 2011, and currently maintained by George Hunt I. -- Help kids everywhere map their world, at http://olpcMAP.net ! ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] A quick networking question
As long as the volunteers connecting with their laptops aren't familiar with MAC spoofing, you can tell the XS's dhcp server to only hand out IP addresses to XOs. Instead of fooling with the bit about redirecting all http traffic for unknown clients to kittenwar.net, leave that bit out or redirect them to 172.18.0.1 so they can access the local XS but not get outside. Here's the writeup: http://lists.laptop.org/pipermail/server-devel/2011-January/005341.html Anyway, it's a thought. Anna Schoolfield Birmingham ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] A quick networking question
On Feb 28, 2012, at 1:05 PM, Holt wrote: Clarif: port 80 is (unfort) forwarded thru the XS, for all laptops that connect over Wifi. Traffic across all other ports (incl 443 = https) is thankfully blocked, though I've no idea why/how unfortunately ;) Sounds like your problem is squid. Your firewall is probably blocking FORWARDS from non-XOs, but routing all http traffic into squid. You instead need to only route XO http traffic into squid. What version school server software ? Cheers, wad On 2/28/2012 12:49 PM, Holt wrote: On 2/28/2012 12:29 PM, George Hunt wrote: In Haiti, Adam and I have been trying to get a school server online. We're finding that volunteers are going through the school server to the internet with their laptops, and he wants to turn that off, at least for now. I've turned off /proc/net...ip_forward and verified that there is no masquerade enabled in the iptables. But that's not enough!! I wasn't sure that the vpn wasn't setting up a gateway, so I had him turn off the vpn. But still the school server was routing to the 3G usb modem dongle even with the vpn pipe closed down. How does the school server act like a router? It may be related to the ppp connection and wdial configuration. But I'm stumped. But I'm trying to bring myself up to speed quickly because he really wants to get it turned off. Any ideas on what to try next? I'm afraid the solution is going to be to pull out the 3g dongle. Interestingly the XS(*) creates an open path for any random non-XO laptop to access the web, but seems to block non-web traffic like ssh and IMAP. In any case, even if it's just forwarding port 80 and 443 (?) we just cannot afford to become a free ISP here in semi-rural Haiti, given so many visitors to our school especially. (*) XS as set up by Tony Anderson early autumn 2011, and currently maintained by George Hunt I. -- Help kids everywhere map their world, at http://olpcMAP.net ! ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
