Iptables gateway with one lan adapter
Hi.
I currently offer free wifi access to customers in my pub and I am trying to implement a layer 7 filter to block P2P filesharing. The network looks like this (router_wifi does NAT): router (10.0.1.1) --> debian-box (10.0.1.2) --> (10.0.1.5) router_wifi (10.0.2.1) -> clients (10.0.2.x) My plan is to use debian-box to take care of the P2P blocking: I compiled ipp2p (tcp layer7 packet analyzer) but I can't figure out how to make the machine act as a gateway for the wifi clients. All the examples I found online refer to the situation where the computer has two network interfaces, but I only have eth0. This is what I got so far: Code:
# Interface connected to Internet |
Hi
Dear asgozzi, Instead of only blocking p2p, try to only allow few things that will be very easy. And about the eth0 thing. To act as a gateway you require two NETWORK INTERFACES. GATEWAY can be configured on single interface, however it can create many problems. May i know the reason why do you want to block p2p software, if the reason is BANDWIDTH CONSUMPTION, then have you tried BANDWIDTH RESTRICTION or BANDWIDTH SHAPING. |
Quote:
First of all, since everyone that comes to my cafe can connect to the wifi network, if some IFPI/RIAA/copyright agency finds out that intellectual property infringments are done from my connection I would be the one getting into trouble. I agree with you, second main reason is to keep BW usage down so everybody can experience fast browsing, but traffic shaping seems more CPU-intensive than layer-7 filtering and I don't want to waste that much computational power. Also, I would like to keep my current single-NIC setup. I read about setting up a virtual network interface as eth0:0 and assign a new ip address to it. Is that possible? |
Nics are cheap. Save yourself the headache and add a second one.
|
Quote:
|
Hi,
Dear asgozzi, Setting up a virtual interface can work out, however it can create problem if you dont have knowledge about how to setup. Check this link out, it will help you in creating virtual interface. http://www.cyberciti.biz/tips/howto-...work-vlan.html |
hi friend,
How effective is the ipp2p program, kindly let me know .... |
Quote:
It works great with ed2k/kad protocol and bittorrent |
yes . .you are right.. it works very well with bittorent edonkey, as in it does not allow pending download or fresh download. but it does not stop pending download from winmx or limewire. Try this p2p clients if you dont believe me.
Less i forget, the particular one giving me a hell of problem now is one that is called Ares. ipp2p programm is only able to capture initial packets but not able to track all initial connection. Hope to here from you. |
First off, do yourself a favor and spend the $10 for a used 10/100Mbit NIC, trust me when I say its money well spent when it comes to making a gateway. Now, if you are providing free Wifi for a pub, you really ought to only be providing http access. For this reason I strongly urge you to install squid, an http proxy server. I'm sure debian has a package for it. With squid installed and configured to allow your Local LAN, you can really lock down your network and you wont need to worry yourself with layer7 filtering. In fact, you wont even have to MASQUERADE/SNAT your clients! This means that the only thing going out of your gateway are legitimate http requests *made from the gateway itself*. Here is the script I would use, again assuming/urging you to get another NIC for the 'eth1' interface I describe below.
Code:
#!/bin/bash |
Quote:
Quote:
I had thought about a transparent proxy solution but sometimes customers need to check their email with pop3/imap or log on to skype, and that can't be accomplished with squid. Packet filtering seems a pretty good solution, it's the first time I worked with it and I am very satisfied |
All times are GMT -5. The time now is 12:10 AM. |