Re: help on masquerading

To: debian-user@lists.debian.org
Cc: Debian User List <debian-user@lists.debian.org>
Subject: Re: help on masquerading
From: John Summerfield <debian@ComputerDatasafe.com.au>
Date: Tue, 29 Jun 2004 15:18:54 +0800
Message-id: <[🔎] 40E117DE.50800@ComputerDatasafe.com.au>
In-reply-to: <[🔎] Pine.LNX.4.44L0.0406291229250.27508-100000@narayani.atcnet.com.np>
References: <[🔎] Pine.LNX.4.44L0.0406291229250.27508-100000@narayani.atcnet.com.np>

Ritesh Raj Sarraf wrote:

Hello all,
I have a masquerading server with 2 ethernet cards, eth0(202.52.x.x) to the internet and eth1(192.168.100.x) to my local network customers. I've enabled nat and my customers are able to browse the internet well (My customer are cyber cafe owners). I've limited their bandwidth. The issue is that I've limited their bandwidth on ipbasis ( say 192.168.100.6 is assigned 64kbps). My view is that they can change their ip to something else (say 192.168.100.15) and consume full bandwidth because i've not limited or given more bandwidth to that particual ip.

To accomplish my condition, I thought of:

#iptables -P FORWARD DROP
To disable all packet forwarding by default.
and then

#iptables -A FORWARD -s 192.168.100.6 -i eth1 -j ACCEPT
To allow my that particular ip to access the net.

But after this command the customer isn't able to browse the net. He's still able to ping my masquerading server. Where am i wrong and what could be a solution ? Please help !

I also think my approach to be insufficient. Because still my customer with ip (192.168.100.6) can connect to the net if he changes the ip to my some other customers ip (192.168.100.15), say if his machine is shutdown at that time.

Is there a better approach ?
Any reply will be greatly appreciated.

You didn't say whose machines they are nor what OS they're running. Ifthey're yours you can lock them down so the users can't do those things.

You can run arpwatchd which will email ou whenever a new host arrives onyour LAN and whenever anyone changes IP.

You can configure DHCPD to serve out IP addresses, require all yourclients to use DHCP. In your configuration you can hard-code IPaddresses for everyone who's authorised to connect and use a dynamicrange for everyone else. You may choose to not route them outside theLAN, give them IP addresses on a different subnet (they're all on thesame wire) and generally be devious, even to regularly changing theallowed IP addresses!

Google for pebble and nocat. They're wireless kit, but probably usefulto you to. Their purpose is to provide public Internet access andrequire everyone to be authenticated. In a free (gratis) environment,people can decline authentication and be authenticated as anonymous,with different access rights.

From what you have said, that could suit you very well. Especially ifyou (want to) allow people to bring their wirelss laptops.

Ritesh



--

Cheers
John

-- spambait
1aaaaaaa@computerdatasafe.com.au  Z1aaaaaaa@computerdatasafe.com.au

Reply to:

Follow-Ups:
- Re: help on masquerading
  - From: Ritesh Raj Sarraf <ritesh@atcnet.com.np>

References:
- help on masquerading
  - From: Ritesh Raj Sarraf <ritesh@atcnet.com.np>

Prev by Date: RE: ide: Assuming 33MHz
Next by Date: Re: iptables start on boot
Previous by thread: help on masquerading
Next by thread: Re: help on masquerading
Index(es):
- Date
- Thread