The best iptables hack like this I've seen routed "extraneous" connections through a transparent web proxy which flipped all images (swapped left and right).
Cheers, wad On Jan 12, 2011, at 11:46 AM, Jerry Vonau wrote: > On Wed, 2011-01-12 at 10:03 -0600, Anna wrote: >> I like to leave the AP open on my test XS 0.6 at home, but ran into an >> issue with that yesterday. I noticed the lights on my router blinking >> like crazy, so I did a live tail on the squid access log to see what >> was going on. >> >> tail -f /var/log/squid/access.log >> > <snip> >> And because I'm ticked off, and inspired by >> http://www.ex-parrot.com/pete/upside-down-ternet.html, it's time for >> some fun with iptables. In /etc/sysconfig/olpc-scripts/iptables-xs.in >> I add a couple of lines like so: >> > So I'm not the only one who likes fun with iptables, wish I could see > the expression on their face when I tried something like that. > >> *nat >> :PREROUTING ACCEPT [0:0] >> :POSTROUTING ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A PREROUTING -s 172.18.124.0/24 -p tcp --dport 80 -j DNAT --to >> 205.196.209.62 >> @@SQUID@@ >> -A POSTROUTING -o @@WAN@@ -j MASQUERADE >> COMMIT >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A FORWARD -s 172.18.124.0/24 -p tcp --dport 443 -j DROP > > This should take care of the rest of the outgoing connections.. > change to: > -A FORWARD -s 172.18.124.0/24 -p tcp ! --dport 80 -j DROP > > add: > -A FORWARD -s 172.18.124.0/24 -j DROP > >> COMMIT >> >> Restart dhcpd and iptables: >> service dhcpd restart >> service iptables restart >> >> Now all unknown clients will have http traffic redirected to >> http://kittenwar.com and their https traffic is dropped. >> >> Obviously this isn't a deterrent to someone who can use an ssh proxy >> for browsing, and it doesn't block traffic on other ports or >> protocols, but most of my neighbors aren't of the networking savvy >> sort (particularly the grotesque rednecks) and will likely conclude >> "this darn internet ain't workin' no more." If I lived near MIT, this >> would not be an acceptable solution. But I'm not terribly concerned >> many folks around here know much about packet sniffing or MAC >> spoofing. >> > > His machine might be owned/spam-bot... Try the trivial change above. > >> When guests come over and want to look at something other than >> pictures of kittens, all I have to do is add the MAC to the list of >> known clients, restart dhcpd, and tell them to renew their IP. >> >> At the very least, now I know how to keep XOs and non-XO clients on >> different IP ranges. >> >> Anna Schoolfield >> Birmingham > > Jerry > > _______________________________________________ > Server-devel mailing list > Server-devel@lists.laptop.org > http://lists.laptop.org/listinfo/server-devel _______________________________________________ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
