LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-08-2007, 07:38 AM   #1
asgozzi
LQ Newbie
 
Registered: Mar 2006
Posts: 8

Rep: Reputation: 0
Iptables gateway with one lan adapter


Hi.
I currently offer free wifi access to customers in my pub and I am trying to implement a layer 7 filter to block P2P filesharing.
The network looks like this (router_wifi does NAT):

router (10.0.1.1)
--> debian-box (10.0.1.2)
--> (10.0.1.5) router_wifi (10.0.2.1) -> clients (10.0.2.x)

My plan is to use debian-box to take care of the P2P blocking: I compiled ipp2p (tcp layer7 packet analyzer) but I can't figure out how to make the machine act as a gateway for the wifi clients.
All the examples I found online refer to the situation where the computer has two network interfaces, but I only have eth0.
This is what I got so far:

Code:
# Interface connected to Internet
INTERNET="eth0"

# Address connected to LAN
LOCAL="10.0.0.0/16"

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# block P2P
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A OUTPUT -m ipp2p --ipp2p -j DROP

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Last edited by asgozzi; 12-08-2007 at 09:37 AM.
 
Old 12-08-2007, 11:27 AM   #2
mudasirm
LQ Newbie
 
Registered: Jun 2007
Location: Pakistan
Distribution: RedHat
Posts: 15

Rep: Reputation: 0
Hi

Dear asgozzi,

Instead of only blocking p2p, try to only allow few things that will be very easy. And about the eth0 thing. To act as a gateway you require two NETWORK INTERFACES.

GATEWAY can be configured on single interface, however it can create many problems.

May i know the reason why do you want to block p2p software, if the reason is BANDWIDTH CONSUMPTION, then have you tried BANDWIDTH RESTRICTION or BANDWIDTH SHAPING.
 
Old 12-08-2007, 12:01 PM   #3
asgozzi
LQ Newbie
 
Registered: Mar 2006
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by mudasirm View Post
Hi

Dear asgozzi,

Instead of only blocking p2p, try to only allow few things that will be very easy. And about the eth0 thing. To act as a gateway you require two NETWORK INTERFACES.

GATEWAY can be configured on single interface, however it can create many problems.

May i know the reason why do you want to block p2p software, if the reason is BANDWIDTH CONSUMPTION, then have you tried BANDWIDTH RESTRICTION or BANDWIDTH SHAPING.

First of all, since everyone that comes to my cafe can connect to the wifi network, if some IFPI/RIAA/copyright agency finds out that intellectual property infringments are done from my connection I would be the one getting into trouble.
I agree with you, second main reason is to keep BW usage down so everybody can experience fast browsing, but traffic shaping seems more CPU-intensive than layer-7 filtering and I don't want to waste that much computational power.

Also, I would like to keep my current single-NIC setup.
I read about setting up a virtual network interface as eth0:0 and assign a new ip address to it. Is that possible?
 
Old 12-08-2007, 12:04 PM   #4
lazlow
Senior Member
 
Registered: Jan 2006
Posts: 4,363

Rep: Reputation: 172Reputation: 172
Nics are cheap. Save yourself the headache and add a second one.
 
Old 12-08-2007, 01:06 PM   #5
asgozzi
LQ Newbie
 
Registered: Mar 2006
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by lazlow View Post
Nics are cheap. Save yourself the headache and add a second one.
indeed. but if I can save the money, why shouldn't I?
 
Old 12-09-2007, 12:49 AM   #6
mudasirm
LQ Newbie
 
Registered: Jun 2007
Location: Pakistan
Distribution: RedHat
Posts: 15

Rep: Reputation: 0
Hi,

Dear asgozzi,

Setting up a virtual interface can work out, however it can create problem if you dont have knowledge about how to setup.

Check this link out, it will help you in creating virtual interface.

http://www.cyberciti.biz/tips/howto-...work-vlan.html
 
Old 12-11-2007, 01:25 PM   #7
yawe_frek
Member
 
Registered: Sep 2005
Distribution: feather 0.72-usb, DSL,CentOS,Ubuntu, Redhat 9
Posts: 144

Rep: Reputation: 15
hi friend,

How effective is the ipp2p program, kindly let me know ....
 
Old 12-12-2007, 12:59 AM   #8
asgozzi
LQ Newbie
 
Registered: Mar 2006
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by yawe_frek View Post
hi friend,

How effective is the ipp2p program, kindly let me know ....
Once its correctly configured, ipp2p will block most types of P2P traffic.
It works great with ed2k/kad protocol and bittorrent
 
Old 12-12-2007, 02:37 PM   #9
yawe_frek
Member
 
Registered: Sep 2005
Distribution: feather 0.72-usb, DSL,CentOS,Ubuntu, Redhat 9
Posts: 144

Rep: Reputation: 15
Wink

yes . .you are right.. it works very well with bittorent edonkey, as in it does not allow pending download or fresh download. but it does not stop pending download from winmx or limewire. Try this p2p clients if you dont believe me.

Less i forget, the particular one giving me a hell of problem now is one that is called Ares. ipp2p programm is only able to capture initial packets but not able to track all initial connection.

Hope to here from you.
 
Old 12-12-2007, 05:57 PM   #10
SiegeX
Member
 
Registered: Jul 2004
Location: Silicon Valley, CA
Distribution: Slackware
Posts: 171

Rep: Reputation: 38
First off, do yourself a favor and spend the $10 for a used 10/100Mbit NIC, trust me when I say its money well spent when it comes to making a gateway. Now, if you are providing free Wifi for a pub, you really ought to only be providing http access. For this reason I strongly urge you to install squid, an http proxy server. I'm sure debian has a package for it. With squid installed and configured to allow your Local LAN, you can really lock down your network and you wont need to worry yourself with layer7 filtering. In fact, you wont even have to MASQUERADE/SNAT your clients! This means that the only thing going out of your gateway are legitimate http requests *made from the gateway itself*. Here is the script I would use, again assuming/urging you to get another NIC for the 'eth1' interface I describe below.

Code:
#!/bin/bash

WAN_IF="eth0"
LAN_IF="eth1"
LAN_RANGE="10.0.0.0/16"
SQUID_UID="squid"

# Clean old firewall rules
for table in filter nat mangle raw; do
      iptables -t $table --flush
      iptables -t $table --delete-chain
done

# Setting default policies
iptables -t filter --policy INPUT DROP
iptables -t filter --policy FORWARD DROP
iptables -t filter --policy OUTPUT DROP

# Redirect http requests to local squid proxy listening on 3128 and accept them
iptables -t nat -A PREROUTING -i $LAN_IF -s $LAN_RANGE -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128
iptables -A INPUT -d 127.0.0.1 -p tcp --dport 3128 -m state --state NEW -j ACCEPT

# Allow outgoing http requests from squid
iptables -A OUTPUT -o $WAN_IF -p tcp --dport 80 -m owner --uid-owner $SQUID_UID -m state --state NEW -j ACCEPT

# Allow outgoing DNS
iptables -A OUTPUT -o $WAN_IF -p udp --dport 53 -m state --state NEW -j ACCEPT

# Allow incoming established,related packets
iptables -A INPUT -o $WAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j -m limit --limit 10/min -j LOG --log-prefix "[INPUT DROP]: "
iptables -A INPUT -j DROP
iptables -A OUTPUT -j -m limit --limit 10/min -j LOG --log-prefix "[INPUT DROP]: "
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j -m limit --limit 10/min -j LOG --log-prefix "[INPUT DROP]: "
iptables -A FORWARD -j DROP
 
Old 12-13-2007, 12:47 AM   #11
asgozzi
LQ Newbie
 
Registered: Mar 2006
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by yawe_frek View Post
yes . .you are right.. it works very well with bittorent edonkey, as in it does not allow pending download or fresh download. but it does not stop pending download from winmx or limewire. Try this p2p clients if you dont believe me.

Less i forget, the particular one giving me a hell of problem now is one that is called Ares. ipp2p programm is only able to capture initial packets but not able to track all initial connection.

Hope to here from you.
ipp2p has been out of developement since long. you might want to try l7-filter (http://l7-filter.sourceforge.net/) that seems to be more active.

Quote:
Originally Posted by SiegeX View Post
First off, do yourself a favor and spend the $10 for a used 10/100Mbit NIC, trust me when I say its money well spent when it comes to making a gateway. Now, if you are providing free Wifi for a pub, you really ought to only be providing http access. For this reason I strongly urge you to install squid, an http proxy server. I'm sure debian has a package for it. With squid installed and configured to allow your Local LAN, you can really lock down your network and you wont need to worry yourself with layer7 filtering. In fact, you wont even have to MASQUERADE/SNAT your clients! This means that the only thing going out of your gateway are legitimate http requests *made from the gateway itself*. Here is the script I would use, again assuming/urging you to get another NIC for the 'eth1' interface I describe below.
I did get the additional NIC and now everything works flawlessly.
I had thought about a transparent proxy solution but sometimes customers need to check their email with pop3/imap or log on to skype, and that can't be accomplished with squid.
Packet filtering seems a pretty good solution, it's the first time I worked with it and I am very satisfied
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LAN Adapter and Wireless adapter stopping each other? Quirrel Linux - Wireless Networking 1 06-12-2007 04:41 PM
Linux LAN Gateway criz8426 Linux - Newbie 2 03-21-2006 05:53 PM
machine has adsl ethernet modem, to make it gateway over lan do i need more lan cards b0nd Linux - Networking 2 10-04-2005 10:19 PM
IPTABLES How to access to web server on gateway from LAN? kozaki Linux - Networking 4 08-26-2005 11:27 AM
LAN interface on Gateway stops being able to send info to LAN intermittantly. BurnFEST Debian 2 11-01-2003 03:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration