LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Iptables gateway with one lan adapter (https://www.linuxquestions.org/questions/linux-networking-3/iptables-gateway-with-one-lan-adapter-605370/)

asgozzi 12-08-2007 07:38 AM
Iptables gateway with one lan adapter
 
Hi.
I currently offer free wifi access to customers in my pub and I am trying to implement a layer 7 filter to block P2P filesharing.
The network looks like this (router_wifi does NAT):

router (10.0.1.1)
--> debian-box (10.0.1.2)
--> (10.0.1.5) router_wifi (10.0.2.1) -> clients (10.0.2.x)

My plan is to use debian-box to take care of the P2P blocking: I compiled ipp2p (tcp layer7 packet analyzer) but I can't figure out how to make the machine act as a gateway for the wifi clients.
All the examples I found online refer to the situation where the computer has two network interfaces, but I only have eth0.
This is what I got so far:

Code:
# Interface connected to Internet
INTERNET="eth0"

# Address connected to LAN
LOCAL="10.0.0.0/16"

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# block P2P
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A OUTPUT -m ipp2p --ipp2p -j DROP

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

mudasirm 12-08-2007 11:27 AM
Hi

Dear asgozzi,

Instead of only blocking p2p, try to only allow few things that will be very easy. And about the eth0 thing. To act as a gateway you require two NETWORK INTERFACES.

GATEWAY can be configured on single interface, however it can create many problems.

May i know the reason why do you want to block p2p software, if the reason is BANDWIDTH CONSUMPTION, then have you tried BANDWIDTH RESTRICTION or BANDWIDTH SHAPING.

asgozzi 12-08-2007 12:01 PM
Quote:
Originally Posted by mudasirm (Post 2984116)
Hi

Dear asgozzi,

Instead of only blocking p2p, try to only allow few things that will be very easy. And about the eth0 thing. To act as a gateway you require two NETWORK INTERFACES.

GATEWAY can be configured on single interface, however it can create many problems.

May i know the reason why do you want to block p2p software, if the reason is BANDWIDTH CONSUMPTION, then have you tried BANDWIDTH RESTRICTION or BANDWIDTH SHAPING.

First of all, since everyone that comes to my cafe can connect to the wifi network, if some IFPI/RIAA/copyright agency finds out that intellectual property infringments are done from my connection I would be the one getting into trouble.
I agree with you, second main reason is to keep BW usage down so everybody can experience fast browsing, but traffic shaping seems more CPU-intensive than layer-7 filtering and I don't want to waste that much computational power.

Also, I would like to keep my current single-NIC setup.
I read about setting up a virtual network interface as eth0:0 and assign a new ip address to it. Is that possible?

lazlow 12-08-2007 12:04 PM
Nics are cheap. Save yourself the headache and add a second one.

asgozzi 12-08-2007 01:06 PM
Quote:
Originally Posted by lazlow (Post 2984143)
Nics are cheap. Save yourself the headache and add a second one.
indeed. but if I can save the money, why shouldn't I? :D

mudasirm 12-09-2007 12:49 AM
Hi,

Dear asgozzi,

Setting up a virtual interface can work out, however it can create problem if you dont have knowledge about how to setup.

Check this link out, it will help you in creating virtual interface.

http://www.cyberciti.biz/tips/howto-...work-vlan.html

yawe_frek 12-11-2007 01:25 PM
hi friend,

How effective is the ipp2p program, kindly let me know ....

asgozzi 12-12-2007 12:59 AM
Quote:
Originally Posted by yawe_frek (Post 2987405)
hi friend,

How effective is the ipp2p program, kindly let me know ....
Once its correctly configured, ipp2p will block most types of P2P traffic.
It works great with ed2k/kad protocol and bittorrent

yawe_frek 12-12-2007 02:37 PM
yes . .you are right.. it works very well with bittorent edonkey, as in it does not allow pending download or fresh download. but it does not stop pending download from winmx or limewire. Try this p2p clients if you dont believe me.

Less i forget, the particular one giving me a hell of problem now is one that is called Ares. ipp2p programm is only able to capture initial packets but not able to track all initial connection.

Hope to here from you.

SiegeX 12-12-2007 05:57 PM
First off, do yourself a favor and spend the $10 for a used 10/100Mbit NIC, trust me when I say its money well spent when it comes to making a gateway. Now, if you are providing free Wifi for a pub, you really ought to only be providing http access. For this reason I strongly urge you to install squid, an http proxy server. I'm sure debian has a package for it. With squid installed and configured to allow your Local LAN, you can really lock down your network and you wont need to worry yourself with layer7 filtering. In fact, you wont even have to MASQUERADE/SNAT your clients! This means that the only thing going out of your gateway are legitimate http requests *made from the gateway itself*. Here is the script I would use, again assuming/urging you to get another NIC for the 'eth1' interface I describe below.

Code:
#!/bin/bash

WAN_IF="eth0"
LAN_IF="eth1"
LAN_RANGE="10.0.0.0/16"
SQUID_UID="squid"

# Clean old firewall rules
for table in filter nat mangle raw; do
      iptables -t $table --flush
      iptables -t $table --delete-chain
done

# Setting default policies
iptables -t filter --policy INPUT DROP
iptables -t filter --policy FORWARD DROP
iptables -t filter --policy OUTPUT DROP

# Redirect http requests to local squid proxy listening on 3128 and accept them
iptables -t nat -A PREROUTING -i $LAN_IF -s $LAN_RANGE -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128
iptables -A INPUT -d 127.0.0.1 -p tcp --dport 3128 -m state --state NEW -j ACCEPT

# Allow outgoing http requests from squid
iptables -A OUTPUT -o $WAN_IF -p tcp --dport 80 -m owner --uid-owner $SQUID_UID -m state --state NEW -j ACCEPT

# Allow outgoing DNS
iptables -A OUTPUT -o $WAN_IF -p udp --dport 53 -m state --state NEW -j ACCEPT

# Allow incoming established,related packets
iptables -A INPUT -o $WAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j -m limit --limit 10/min -j LOG --log-prefix "[INPUT DROP]: "
iptables -A INPUT -j DROP
iptables -A OUTPUT -j -m limit --limit 10/min -j LOG --log-prefix "[INPUT DROP]: "
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j -m limit --limit 10/min -j LOG --log-prefix "[INPUT DROP]: "
iptables -A FORWARD -j DROP

asgozzi 12-13-2007 12:47 AM
Quote:
Originally Posted by yawe_frek (Post 2988622)
yes . .you are right.. it works very well with bittorent edonkey, as in it does not allow pending download or fresh download. but it does not stop pending download from winmx or limewire. Try this p2p clients if you dont believe me.

Less i forget, the particular one giving me a hell of problem now is one that is called Ares. ipp2p programm is only able to capture initial packets but not able to track all initial connection.

Hope to here from you.
ipp2p has been out of developement since long. you might want to try l7-filter (http://l7-filter.sourceforge.net/) that seems to be more active.

Quote:
Originally Posted by SiegeX (Post 2988794)
First off, do yourself a favor and spend the $10 for a used 10/100Mbit NIC, trust me when I say its money well spent when it comes to making a gateway. Now, if you are providing free Wifi for a pub, you really ought to only be providing http access. For this reason I strongly urge you to install squid, an http proxy server. I'm sure debian has a package for it. With squid installed and configured to allow your Local LAN, you can really lock down your network and you wont need to worry yourself with layer7 filtering. In fact, you wont even have to MASQUERADE/SNAT your clients! This means that the only thing going out of your gateway are legitimate http requests *made from the gateway itself*. Here is the script I would use, again assuming/urging you to get another NIC for the 'eth1' interface I describe below.
I did get the additional NIC and now everything works flawlessly.
I had thought about a transparent proxy solution but sometimes customers need to check their email with pop3/imap or log on to skype, and that can't be accomplished with squid.
Packet filtering seems a pretty good solution, it's the first time I worked with it and I am very satisfied


All times are GMT -5. The time now is 12:10 AM.