On Wed, 2011-01-12 at 10:03 -0600, Anna wrote: > I like to leave the AP open on my test XS 0.6 at home, but ran into an > issue with that yesterday. I noticed the lights on my router blinking > like crazy, so I did a live tail on the squid access log to see what > was going on. > > tail -f /var/log/squid/access.log > <snip> > And because I'm ticked off, and inspired by > http://www.ex-parrot.com/pete/upside-down-ternet.html, it's time for > some fun with iptables. In /etc/sysconfig/olpc-scripts/iptables-xs.in > I add a couple of lines like so: > So I'm not the only one who likes fun with iptables, wish I could see the expression on their face when I tried something like that.
> *nat > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A PREROUTING -s 172.18.124.0/24 -p tcp --dport 80 -j DNAT --to > 205.196.209.62 > @@SQUID@@ > -A POSTROUTING -o @@WAN@@ -j MASQUERADE > COMMIT > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A FORWARD -s 172.18.124.0/24 -p tcp --dport 443 -j DROP This should take care of the rest of the outgoing connections.. change to: -A FORWARD -s 172.18.124.0/24 -p tcp ! --dport 80 -j DROP add: -A FORWARD -s 172.18.124.0/24 -j DROP > COMMIT > > Restart dhcpd and iptables: > service dhcpd restart > service iptables restart > > Now all unknown clients will have http traffic redirected to > http://kittenwar.com and their https traffic is dropped. > > Obviously this isn't a deterrent to someone who can use an ssh proxy > for browsing, and it doesn't block traffic on other ports or > protocols, but most of my neighbors aren't of the networking savvy > sort (particularly the grotesque rednecks) and will likely conclude > "this darn internet ain't workin' no more." If I lived near MIT, this > would not be an acceptable solution. But I'm not terribly concerned > many folks around here know much about packet sniffing or MAC > spoofing. > His machine might be owned/spam-bot... Try the trivial change above. > When guests come over and want to look at something other than > pictures of kittens, all I have to do is add the MAC to the list of > known clients, restart dhcpd, and tell them to renew their IP. > > At the very least, now I know how to keep XOs and non-XO clients on > different IP ranges. > > Anna Schoolfield > Birmingham Jerry _______________________________________________ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
