Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi.
I currently offer free wifi access to customers in my pub and I am trying to implement a layer 7 filter to block P2P filesharing.
The network looks like this (router_wifi does NAT):
My plan is to use debian-box to take care of the P2P blocking: I compiled ipp2p (tcp layer7 packet analyzer) but I can't figure out how to make the machine act as a gateway for the wifi clients.
All the examples I found online refer to the situation where the computer has two network interfaces, but I only have eth0.
This is what I got so far:
Code:
# Interface connected to Internet
INTERNET="eth0"
# Address connected to LAN
LOCAL="10.0.0.0/16"
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# block P2P
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A OUTPUT -m ipp2p --ipp2p -j DROP
# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Instead of only blocking p2p, try to only allow few things that will be very easy. And about the eth0 thing. To act as a gateway you require two NETWORK INTERFACES.
GATEWAY can be configured on single interface, however it can create many problems.
May i know the reason why do you want to block p2p software, if the reason is BANDWIDTH CONSUMPTION, then have you tried BANDWIDTH RESTRICTION or BANDWIDTH SHAPING.
Instead of only blocking p2p, try to only allow few things that will be very easy. And about the eth0 thing. To act as a gateway you require two NETWORK INTERFACES.
GATEWAY can be configured on single interface, however it can create many problems.
May i know the reason why do you want to block p2p software, if the reason is BANDWIDTH CONSUMPTION, then have you tried BANDWIDTH RESTRICTION or BANDWIDTH SHAPING.
First of all, since everyone that comes to my cafe can connect to the wifi network, if some IFPI/RIAA/copyright agency finds out that intellectual property infringments are done from my connection I would be the one getting into trouble.
I agree with you, second main reason is to keep BW usage down so everybody can experience fast browsing, but traffic shaping seems more CPU-intensive than layer-7 filtering and I don't want to waste that much computational power.
Also, I would like to keep my current single-NIC setup.
I read about setting up a virtual network interface as eth0:0 and assign a new ip address to it. Is that possible?
yes . .you are right.. it works very well with bittorent edonkey, as in it does not allow pending download or fresh download. but it does not stop pending download from winmx or limewire. Try this p2p clients if you dont believe me.
Less i forget, the particular one giving me a hell of problem now is one that is called Ares. ipp2p programm is only able to capture initial packets but not able to track all initial connection.
First off, do yourself a favor and spend the $10 for a used 10/100Mbit NIC, trust me when I say its money well spent when it comes to making a gateway. Now, if you are providing free Wifi for a pub, you really ought to only be providing http access. For this reason I strongly urge you to install squid, an http proxy server. I'm sure debian has a package for it. With squid installed and configured to allow your Local LAN, you can really lock down your network and you wont need to worry yourself with layer7 filtering. In fact, you wont even have to MASQUERADE/SNAT your clients! This means that the only thing going out of your gateway are legitimate http requests *made from the gateway itself*. Here is the script I would use, again assuming/urging you to get another NIC for the 'eth1' interface I describe below.
Code:
#!/bin/bash
WAN_IF="eth0"
LAN_IF="eth1"
LAN_RANGE="10.0.0.0/16"
SQUID_UID="squid"
# Clean old firewall rules
for table in filter nat mangle raw; do
iptables -t $table --flush
iptables -t $table --delete-chain
done
# Setting default policies
iptables -t filter --policy INPUT DROP
iptables -t filter --policy FORWARD DROP
iptables -t filter --policy OUTPUT DROP
# Redirect http requests to local squid proxy listening on 3128 and accept them
iptables -t nat -A PREROUTING -i $LAN_IF -s $LAN_RANGE -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128
iptables -A INPUT -d 127.0.0.1 -p tcp --dport 3128 -m state --state NEW -j ACCEPT
# Allow outgoing http requests from squid
iptables -A OUTPUT -o $WAN_IF -p tcp --dport 80 -m owner --uid-owner $SQUID_UID -m state --state NEW -j ACCEPT
# Allow outgoing DNS
iptables -A OUTPUT -o $WAN_IF -p udp --dport 53 -m state --state NEW -j ACCEPT
# Allow incoming established,related packets
iptables -A INPUT -o $WAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j -m limit --limit 10/min -j LOG --log-prefix "[INPUT DROP]: "
iptables -A INPUT -j DROP
iptables -A OUTPUT -j -m limit --limit 10/min -j LOG --log-prefix "[INPUT DROP]: "
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j -m limit --limit 10/min -j LOG --log-prefix "[INPUT DROP]: "
iptables -A FORWARD -j DROP
yes . .you are right.. it works very well with bittorent edonkey, as in it does not allow pending download or fresh download. but it does not stop pending download from winmx or limewire. Try this p2p clients if you dont believe me.
Less i forget, the particular one giving me a hell of problem now is one that is called Ares. ipp2p programm is only able to capture initial packets but not able to track all initial connection.
Hope to here from you.
ipp2p has been out of developement since long. you might want to try l7-filter (http://l7-filter.sourceforge.net/) that seems to be more active.
Quote:
Originally Posted by SiegeX
First off, do yourself a favor and spend the $10 for a used 10/100Mbit NIC, trust me when I say its money well spent when it comes to making a gateway. Now, if you are providing free Wifi for a pub, you really ought to only be providing http access. For this reason I strongly urge you to install squid, an http proxy server. I'm sure debian has a package for it. With squid installed and configured to allow your Local LAN, you can really lock down your network and you wont need to worry yourself with layer7 filtering. In fact, you wont even have to MASQUERADE/SNAT your clients! This means that the only thing going out of your gateway are legitimate http requests *made from the gateway itself*. Here is the script I would use, again assuming/urging you to get another NIC for the 'eth1' interface I describe below.
I did get the additional NIC and now everything works flawlessly.
I had thought about a transparent proxy solution but sometimes customers need to check their email with pop3/imap or log on to skype, and that can't be accomplished with squid.
Packet filtering seems a pretty good solution, it's the first time I worked with it and I am very satisfied
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.