Re: [Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6
On Wed, Jan 12, 2011 at 8:50 PM, John Watlington wrote: > > The best iptables hack like this I've seen routed "extraneous" > connections through a transparent web proxy which flipped > all images (swapped left and right). > > Cheers, > wad > > That does look fun, but I went with the kitten thing instead of messing with the XS's Squid proxy. This is my "test XS," after all, and I didn't want to break that functionality. >> And because I'm ticked off, and inspired by > >> http://www.ex-parrot.com/pete/upside-down-ternet.html it's time for > >> some fun with iptables. > > That's probably the hack you're thinking of. Tonight I just remembered that because my squid cache was full of ick due to that thoughtless neighbor, I should probably scrub it out: /etc/sysconfig/olpc-scripts/TURN_SQUID_OFF rm -rf /library/cache /etc/sysconfig/olpc-scripts/TURN_SQUID_ON And now it's virginal again, so to speak. Anna Schoolfield Birmingham ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6
On Wed, Jan 12, 2011 at 8:03 AM, Anna wrote: > I like to leave the AP open on my test XS 0.6 at home, but ran into an issue > with that yesterday. I noticed the lights on my router blinking like crazy, > so I did a live tail on the squid access log to see what was going on. > > tail -f /var/log/squid/access.log > > And oh, my goodness. Leaving an access point open is getting more and more questionable. Because of the tangle of issues that can surface it does pay to setup basic encryption and passwords. You proxy logs will help you a lot if there are issues. My strategy has been to give the access point an interesting name... A friendly name might be "AskAnna" another name might be informative "GoAwayBob". Names like "password is guest" also work. Pass phrases need not be hard to remember. Examples might be: "I love OLPC!" or "AnnaSaysWelcome". The reason to establish basic encryption is that without encryption it is too easy for some passer by to snoop up pass words to web sites. None the WiFi crypto systems are terribly strong but they do keep the riff raff out. -- T o m M i t c h e l l mitch-at-niftyegg-dot-com "My lifetime goal is to be the kind of person my dogs think I am." ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6
The best iptables hack like this I've seen routed "extraneous" connections through a transparent web proxy which flipped all images (swapped left and right). Cheers, wad On Jan 12, 2011, at 11:46 AM, Jerry Vonau wrote: > On Wed, 2011-01-12 at 10:03 -0600, Anna wrote: >> I like to leave the AP open on my test XS 0.6 at home, but ran into an >> issue with that yesterday. I noticed the lights on my router blinking >> like crazy, so I did a live tail on the squid access log to see what >> was going on. >> >> tail -f /var/log/squid/access.log >> > >> And because I'm ticked off, and inspired by >> http://www.ex-parrot.com/pete/upside-down-ternet.html, it's time for >> some fun with iptables. In /etc/sysconfig/olpc-scripts/iptables-xs.in >> I add a couple of lines like so: >> > So I'm not the only one who likes fun with iptables, wish I could see > the expression on their face when I tried something like that. > >> *nat >> :PREROUTING ACCEPT [0:0] >> :POSTROUTING ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A PREROUTING -s 172.18.124.0/24 -p tcp --dport 80 -j DNAT --to >> 205.196.209.62 >> @@SQUID@@ >> -A POSTROUTING -o @@WAN@@ -j MASQUERADE >> COMMIT >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A FORWARD -s 172.18.124.0/24 -p tcp --dport 443 -j DROP > > This should take care of the rest of the outgoing connections.. > change to: > -A FORWARD -s 172.18.124.0/24 -p tcp ! --dport 80 -j DROP > > add: > -A FORWARD -s 172.18.124.0/24 -j DROP > >> COMMIT >> >> Restart dhcpd and iptables: >> service dhcpd restart >> service iptables restart >> >> Now all unknown clients will have http traffic redirected to >> http://kittenwar.com and their https traffic is dropped. >> >> Obviously this isn't a deterrent to someone who can use an ssh proxy >> for browsing, and it doesn't block traffic on other ports or >> protocols, but most of my neighbors aren't of the networking savvy >> sort (particularly the grotesque rednecks) and will likely conclude >> "this darn internet ain't workin' no more." If I lived near MIT, this >> would not be an acceptable solution. But I'm not terribly concerned >> many folks around here know much about packet sniffing or MAC >> spoofing. >> > > His machine might be owned/spam-bot... Try the trivial change above. > >> When guests come over and want to look at something other than >> pictures of kittens, all I have to do is add the MAC to the list of >> known clients, restart dhcpd, and tell them to renew their IP. >> >> At the very least, now I know how to keep XOs and non-XO clients on >> different IP ranges. >> >> Anna Schoolfield >> Birmingham > > Jerry > > ___ > Server-devel mailing list > Server-devel@lists.laptop.org > http://lists.laptop.org/listinfo/server-devel ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6
On Wed, 2011-01-12 at 10:03 -0600, Anna wrote: > I like to leave the AP open on my test XS 0.6 at home, but ran into an > issue with that yesterday. I noticed the lights on my router blinking > like crazy, so I did a live tail on the squid access log to see what > was going on. > > tail -f /var/log/squid/access.log > > And because I'm ticked off, and inspired by > http://www.ex-parrot.com/pete/upside-down-ternet.html, it's time for > some fun with iptables. In /etc/sysconfig/olpc-scripts/iptables-xs.in > I add a couple of lines like so: > So I'm not the only one who likes fun with iptables, wish I could see the expression on their face when I tried something like that. > *nat > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A PREROUTING -s 172.18.124.0/24 -p tcp --dport 80 -j DNAT --to > 205.196.209.62 > @@SQUID@@ > -A POSTROUTING -o @@WAN@@ -j MASQUERADE > COMMIT > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A FORWARD -s 172.18.124.0/24 -p tcp --dport 443 -j DROP This should take care of the rest of the outgoing connections.. change to: -A FORWARD -s 172.18.124.0/24 -p tcp ! --dport 80 -j DROP add: -A FORWARD -s 172.18.124.0/24 -j DROP > COMMIT > > Restart dhcpd and iptables: > service dhcpd restart > service iptables restart > > Now all unknown clients will have http traffic redirected to > http://kittenwar.com and their https traffic is dropped. > > Obviously this isn't a deterrent to someone who can use an ssh proxy > for browsing, and it doesn't block traffic on other ports or > protocols, but most of my neighbors aren't of the networking savvy > sort (particularly the grotesque rednecks) and will likely conclude > "this darn internet ain't workin' no more." If I lived near MIT, this > would not be an acceptable solution. But I'm not terribly concerned > many folks around here know much about packet sniffing or MAC > spoofing. > His machine might be owned/spam-bot... Try the trivial change above. > When guests come over and want to look at something other than > pictures of kittens, all I have to do is add the MAC to the list of > known clients, restart dhcpd, and tell them to renew their IP. > > At the very least, now I know how to keep XOs and non-XO clients on > different IP ranges. > > Anna Schoolfield > Birmingham Jerry ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6
I like to leave the AP open on my test XS 0.6 at home, but ran into an issue
with that yesterday. I noticed the lights on my router blinking like crazy,
so I did a live tail on the squid access log to see what was going on.
tail -f /var/log/squid/access.log
And oh, my goodness. One of my neighbors was on there checking his
Facebook, setting up his fantasy basketball team, and, ahem, looking at
copious amounts of adult material. First I checked to see if I knew who it
was via the Facebook user id I found in the squid log. No, I had never met
him, but Mr. Frank strikes quite the caricature of a aging
redneck fratboy. In typical passive aggressive Southern lady style, I'm
going to teach him a lesson.
I don't want to put encryption on the AP or fool around with content
filtering, so I'm going to use some dhcp tweaks and iptables to put up an
obstacle to web browsing by unknown clients.
Edits for /etc/sysconfig/olpc-scripts/dhcpd.conf.1
Under the subnet declaration, I added a class definition for the XOs. This
works for the two XO 1.5 units I've got as well, but I'd verify the MAC on
any of those just to be sure.
subnet 172.18.96.0 netmask 255.255.224.0 {
class "xo" {
match if substring (hardware,1,3) = 00:17:c4;
}
Since I'm going to separate things into pools by range, I comment out this
line:
#range 172.18.96.2 172.18.125.254;
Beneath the lease times, I add my pools. Adjust your ranges as needed.
# Address pool for just XOs
pool {
allow members of "xo";
range 172.18.96.2 172.18.123.254;
}
# Address Pool for unknown clients
pool {
range 172.18.124.2 172.18.124.254;
deny members of "xo";
deny known-clients;
allow unknown-clients;
}
# Address pool for known clients
pool {
range 172.18.125.2 172.18.125.254;
deny members of "xo";
deny unknown-clients;
}
Make sure all that is within the ending bracket of the subnet.
At the very bottom of the file, below everything else, I add the known
clients.
# Non-XO stuff on dynamic range 172.18.125.0/24
host anna-eeepc-1 {hardware ethernet 00:15:af:ec:9e:46;}
host anna-eeepc-2 {hardware ethernet 00:22:43:2e:fe:79;}
host tyler-eeepc {hardware ethernet 00:15:af:ec:96:1f;}
And because I'm ticked off, and inspired by
http://www.ex-parrot.com/pete/upside-down-ternet.html, it's time for some
fun with iptables. In /etc/sysconfig/olpc-scripts/iptables-xs.in I add a
couple of lines like so:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -s 172.18.124.0/24 -p tcp --dport 80 -j DNAT --to
205.196.209.62
@@SQUID@@
-A POSTROUTING -o @@WAN@@ -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -s 172.18.124.0/24 -p tcp --dport 443 -j DROP
COMMIT
Restart dhcpd and iptables:
service dhcpd restart
service iptables restart
Now all unknown clients will have http traffic redirected to
http://kittenwar.com and their https traffic is dropped.
Obviously this isn't a deterrent to someone who can use an ssh proxy for
browsing, and it doesn't block traffic on other ports or protocols, but most
of my neighbors aren't of the networking savvy sort (particularly the
grotesque rednecks) and will likely conclude "this darn internet ain't
workin' no more." If I lived near MIT, this would not be an acceptable
solution. But I'm not terribly concerned many folks around here know much
about packet sniffing or MAC spoofing.
When guests come over and want to look at something other than pictures of
kittens, all I have to do is add the MAC to the list of known clients,
restart dhcpd, and tell them to renew their IP.
At the very least, now I know how to keep XOs and non-XO clients on
different IP ranges.
Anna Schoolfield
Birmingham
___
Server-devel mailing list
Server-devel@lists.laptop.org
http://lists.laptop.org/listinfo/server-devel
