Re: help on masquerading
On Tue, Jun 29, 2004 at 12:38:58PM +0545, Ritesh Raj Sarraf wrote:
> Hello all,
> I have a masquerading server with 2 ethernet cards, eth0(202.52.x.x) to the internet and eth1(192.168.100.x) to my local network customers. I've enabled nat and my customers are able to browse the internet well (My customer are cyber cafe owners). I've limited their bandwidth. The issue is that I've limited their bandwidth on ipbasis ( say 192.168.100.6 is assigned 64kbps). My view is that they can change their ip to something else (say 192.168.100.15) and consume full bandwidth because i've not limited or given more bandwidth to that particual ip.
> To accomplish my condition, I thought of:
> #iptables -P FORWARD DROP
> To disable all packet forwarding by default.
> and then
> #iptables -A FORWARD -s 192.168.100.6 -i eth1 -j ACCEPT
> To allow my that particular ip to access the net.
> But after this command the customer isn't able to browse the net. He's still able to ping my masquerading server. Where am i wrong and what could be a solution ? Please help !
> I also think my approach to be insufficient. Because still my customer with ip (192.168.100.6) can connect to the net if he changes the ip to my some other customers ip (192.168.100.15), say if his machine is shutdown at that time.
> Is there a better approach ?
> Any reply will be greatly appreciated.
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com
I don't know much about iptables but you may need to add a rule to
allow packets from the net back to eth1.
You can use IPSec/racoon configured to use pre-shared keys or X.509
certificates to authorise peers. You could, for example, force certain
peers to use specific IPs and allow only nominal bandwidth to those
peers that don't authenticate.