Re: [Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6
On Wed, Jan 12, 2011 at 8:50 PM, John Watlington wrote: > > The best iptables hack like this I've seen routed "extraneous" > connections through a transparent web proxy which flipped > all images (swapped left and right). > > Cheers, > wad > > That does look fun, but I went with the kitten thing instead of messing with the XS's Squid proxy. This is my "test XS," after all, and I didn't want to break that functionality. >> And because I'm ticked off, and inspired by > >> http://www.ex-parrot.com/pete/upside-down-ternet.html it's time for > >> some fun with iptables. > > That's probably the hack you're thinking of. Tonight I just remembered that because my squid cache was full of ick due to that thoughtless neighbor, I should probably scrub it out: /etc/sysconfig/olpc-scripts/TURN_SQUID_OFF rm -rf /library/cache /etc/sysconfig/olpc-scripts/TURN_SQUID_ON And now it's virginal again, so to speak. Anna Schoolfield Birmingham ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6
On Wed, Jan 12, 2011 at 8:03 AM, Anna wrote: > I like to leave the AP open on my test XS 0.6 at home, but ran into an issue > with that yesterday. I noticed the lights on my router blinking like crazy, > so I did a live tail on the squid access log to see what was going on. > > tail -f /var/log/squid/access.log > > And oh, my goodness. Leaving an access point open is getting more and more questionable. Because of the tangle of issues that can surface it does pay to setup basic encryption and passwords. You proxy logs will help you a lot if there are issues. My strategy has been to give the access point an interesting name... A friendly name might be "AskAnna" another name might be informative "GoAwayBob". Names like "password is guest" also work. Pass phrases need not be hard to remember. Examples might be: "I love OLPC!" or "AnnaSaysWelcome". The reason to establish basic encryption is that without encryption it is too easy for some passer by to snoop up pass words to web sites. None the WiFi crypto systems are terribly strong but they do keep the riff raff out. -- T o m M i t c h e l l mitch-at-niftyegg-dot-com "My lifetime goal is to be the kind of person my dogs think I am." ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6
The best iptables hack like this I've seen routed "extraneous" connections through a transparent web proxy which flipped all images (swapped left and right). Cheers, wad On Jan 12, 2011, at 11:46 AM, Jerry Vonau wrote: > On Wed, 2011-01-12 at 10:03 -0600, Anna wrote: >> I like to leave the AP open on my test XS 0.6 at home, but ran into an >> issue with that yesterday. I noticed the lights on my router blinking >> like crazy, so I did a live tail on the squid access log to see what >> was going on. >> >> tail -f /var/log/squid/access.log >> > >> And because I'm ticked off, and inspired by >> http://www.ex-parrot.com/pete/upside-down-ternet.html, it's time for >> some fun with iptables. In /etc/sysconfig/olpc-scripts/iptables-xs.in >> I add a couple of lines like so: >> > So I'm not the only one who likes fun with iptables, wish I could see > the expression on their face when I tried something like that. > >> *nat >> :PREROUTING ACCEPT [0:0] >> :POSTROUTING ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A PREROUTING -s 172.18.124.0/24 -p tcp --dport 80 -j DNAT --to >> 205.196.209.62 >> @@SQUID@@ >> -A POSTROUTING -o @@WAN@@ -j MASQUERADE >> COMMIT >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A FORWARD -s 172.18.124.0/24 -p tcp --dport 443 -j DROP > > This should take care of the rest of the outgoing connections.. > change to: > -A FORWARD -s 172.18.124.0/24 -p tcp ! --dport 80 -j DROP > > add: > -A FORWARD -s 172.18.124.0/24 -j DROP > >> COMMIT >> >> Restart dhcpd and iptables: >> service dhcpd restart >> service iptables restart >> >> Now all unknown clients will have http traffic redirected to >> http://kittenwar.com and their https traffic is dropped. >> >> Obviously this isn't a deterrent to someone who can use an ssh proxy >> for browsing, and it doesn't block traffic on other ports or >> protocols, but most of my neighbors aren't of the networking savvy >> sort (particularly the grotesque rednecks) and will likely conclude >> "this darn internet ain't workin' no more." If I lived near MIT, this >> would not be an acceptable solution. But I'm not terribly concerned >> many folks around here know much about packet sniffing or MAC >> spoofing. >> > > His machine might be owned/spam-bot... Try the trivial change above. > >> When guests come over and want to look at something other than >> pictures of kittens, all I have to do is add the MAC to the list of >> known clients, restart dhcpd, and tell them to renew their IP. >> >> At the very least, now I know how to keep XOs and non-XO clients on >> different IP ranges. >> >> Anna Schoolfield >> Birmingham > > Jerry > > ___ > Server-devel mailing list > Server-devel@lists.laptop.org > http://lists.laptop.org/listinfo/server-devel ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6
On Wed, 2011-01-12 at 10:03 -0600, Anna wrote: > I like to leave the AP open on my test XS 0.6 at home, but ran into an > issue with that yesterday. I noticed the lights on my router blinking > like crazy, so I did a live tail on the squid access log to see what > was going on. > > tail -f /var/log/squid/access.log > > And because I'm ticked off, and inspired by > http://www.ex-parrot.com/pete/upside-down-ternet.html, it's time for > some fun with iptables. In /etc/sysconfig/olpc-scripts/iptables-xs.in > I add a couple of lines like so: > So I'm not the only one who likes fun with iptables, wish I could see the expression on their face when I tried something like that. > *nat > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A PREROUTING -s 172.18.124.0/24 -p tcp --dport 80 -j DNAT --to > 205.196.209.62 > @@SQUID@@ > -A POSTROUTING -o @@WAN@@ -j MASQUERADE > COMMIT > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A FORWARD -s 172.18.124.0/24 -p tcp --dport 443 -j DROP This should take care of the rest of the outgoing connections.. change to: -A FORWARD -s 172.18.124.0/24 -p tcp ! --dport 80 -j DROP add: -A FORWARD -s 172.18.124.0/24 -j DROP > COMMIT > > Restart dhcpd and iptables: > service dhcpd restart > service iptables restart > > Now all unknown clients will have http traffic redirected to > http://kittenwar.com and their https traffic is dropped. > > Obviously this isn't a deterrent to someone who can use an ssh proxy > for browsing, and it doesn't block traffic on other ports or > protocols, but most of my neighbors aren't of the networking savvy > sort (particularly the grotesque rednecks) and will likely conclude > "this darn internet ain't workin' no more." If I lived near MIT, this > would not be an acceptable solution. But I'm not terribly concerned > many folks around here know much about packet sniffing or MAC > spoofing. > His machine might be owned/spam-bot... Try the trivial change above. > When guests come over and want to look at something other than > pictures of kittens, all I have to do is add the MAC to the list of > known clients, restart dhcpd, and tell them to renew their IP. > > At the very least, now I know how to keep XOs and non-XO clients on > different IP ranges. > > Anna Schoolfield > Birmingham Jerry ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] IP Address Pools for XOs, known clients, and unknown clients on XS 0.6
I like to leave the AP open on my test XS 0.6 at home, but ran into an issue with that yesterday. I noticed the lights on my router blinking like crazy, so I did a live tail on the squid access log to see what was going on. tail -f /var/log/squid/access.log And oh, my goodness. One of my neighbors was on there checking his Facebook, setting up his fantasy basketball team, and, ahem, looking at copious amounts of adult material. First I checked to see if I knew who it was via the Facebook user id I found in the squid log. No, I had never met him, but Mr. Frank strikes quite the caricature of a aging redneck fratboy. In typical passive aggressive Southern lady style, I'm going to teach him a lesson. I don't want to put encryption on the AP or fool around with content filtering, so I'm going to use some dhcp tweaks and iptables to put up an obstacle to web browsing by unknown clients. Edits for /etc/sysconfig/olpc-scripts/dhcpd.conf.1 Under the subnet declaration, I added a class definition for the XOs. This works for the two XO 1.5 units I've got as well, but I'd verify the MAC on any of those just to be sure. subnet 172.18.96.0 netmask 255.255.224.0 { class "xo" { match if substring (hardware,1,3) = 00:17:c4; } Since I'm going to separate things into pools by range, I comment out this line: #range 172.18.96.2 172.18.125.254; Beneath the lease times, I add my pools. Adjust your ranges as needed. # Address pool for just XOs pool { allow members of "xo"; range 172.18.96.2 172.18.123.254; } # Address Pool for unknown clients pool { range 172.18.124.2 172.18.124.254; deny members of "xo"; deny known-clients; allow unknown-clients; } # Address pool for known clients pool { range 172.18.125.2 172.18.125.254; deny members of "xo"; deny unknown-clients; } Make sure all that is within the ending bracket of the subnet. At the very bottom of the file, below everything else, I add the known clients. # Non-XO stuff on dynamic range 172.18.125.0/24 host anna-eeepc-1 {hardware ethernet 00:15:af:ec:9e:46;} host anna-eeepc-2 {hardware ethernet 00:22:43:2e:fe:79;} host tyler-eeepc {hardware ethernet 00:15:af:ec:96:1f;} And because I'm ticked off, and inspired by http://www.ex-parrot.com/pete/upside-down-ternet.html, it's time for some fun with iptables. In /etc/sysconfig/olpc-scripts/iptables-xs.in I add a couple of lines like so: *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -s 172.18.124.0/24 -p tcp --dport 80 -j DNAT --to 205.196.209.62 @@SQUID@@ -A POSTROUTING -o @@WAN@@ -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A FORWARD -s 172.18.124.0/24 -p tcp --dport 443 -j DROP COMMIT Restart dhcpd and iptables: service dhcpd restart service iptables restart Now all unknown clients will have http traffic redirected to http://kittenwar.com and their https traffic is dropped. Obviously this isn't a deterrent to someone who can use an ssh proxy for browsing, and it doesn't block traffic on other ports or protocols, but most of my neighbors aren't of the networking savvy sort (particularly the grotesque rednecks) and will likely conclude "this darn internet ain't workin' no more." If I lived near MIT, this would not be an acceptable solution. But I'm not terribly concerned many folks around here know much about packet sniffing or MAC spoofing. When guests come over and want to look at something other than pictures of kittens, all I have to do is add the MAC to the list of known clients, restart dhcpd, and tell them to renew their IP. At the very least, now I know how to keep XOs and non-XO clients on different IP ranges. Anna Schoolfield Birmingham ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel