'Re: [IPCop-user] BOT: Orange as Green ?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipcop-user
Subject:    Re: [IPCop-user] BOT: Orange as Green ?
From:       "G.W. Haywood" <ged () jubileegroup ! co ! uk>
Date:       2011-08-09 10:13:44
Message-ID: Pine.LNX.4.58.1108061507180.21258 () mail3 ! jubileegroup ! co ! uk
[Download RAW message or body]

Hi there,

On Wed, 27 Jul 2011 Renaud (Ron) Olgiati wrote:

> Want two separate greens: Eldest Son has to have Windows, and I dont want the
> whole LAN to catch the pox when he gets a dose.
>
> Mind you, I could perhaps put him on Orange ?

IPCop will not give the clients on ORANGE the same services that it
gives to those on GREEN, but that might not matter to you in which
case that might be a good solution if you have nothing else (or at
least nothing else which you care much about :) on ORANGE.

You might add another network card just for your son's PC.  I haven't
done that with IPCop, and unmodified I don't know what it would do if
you ran the setup utility with the new card installed, but I think it
should be fine if you just use the normal boot scripts to assign an IP
address and netmask to the card, then set up the firewall as required
in /etc/rc.d/rc.firewall.local plus maybe some routing.  Alternatively
you could just have a single script like /etc/rc.d/rc.local do it all.
That's where I do most of my IPCop hacking.

# 8<------------------------------------------------------------------

# In this totally off the top of my head untested script I've used
# both the long and short forms of some iptables commands to try to
# make it clear that they're completely interchangeable.  Find the
# iptables man pages for more details, e.g. on a Linux box (not IPCop).
# Sorry for the delay, I've been away a while. :)
#
# INPUT rules are for packets coming into IPCop itself.
# FORWARD rules are for packets coming to IPCop to be routed elsewhere.
# CUSTOMINPUT rules on IPCop are loaded before INPUT rules so you can do
# things specifically for your particular installation.
# CUSTOMFORWARD rules on IPCop are loaded before FORWARD rules so you can
# again do things specifically for your particular installation.
#
# Assumes that son's PC will have an IP address on 192.168.2.x,
# that you'll also know its MAC address and that he won't change
# it in order to atack your network...
#
# Set up the extra card, assume it's eth3 but it might not be
#
/sbin/ifconfig eth3 192.168.2.1 (?netmask... ?broadcast...)
#
# I can't remember if packets from son's PC will be dropped by
# default on IPCop, so better safe than sorry:
#
# DROP everything to GREEN from son's PC by MAC address:
# Assumes GREEN is 192.168.0.0/24
#
/sbin/iptables --insert CUSTOMFORWARD --jump DROP \
 --match mac --mac-source your:sons:pc:mac:address:here \
 --destination 192.168.0.0/24
#
# DROP everything to ORANGE from son's PC by MAC address:
# Assumes ORANGE is 192.168.1.0/24 (and that you care :)
#
/sbin/iptables --I CUSTOMFORWARD -j DROP \
 --match mac --mac-source your:sons:pc:mac:address:here \
 --destination 192.168.1.0/24
#
# DROP everything to GREEN from son's PC by IP address:
#
/sbin/iptables -I CUSTOMFORWARD -j DROP \
 -s 192.168.2.0/24 \
 -d 192.168.0.0/24
#
# You might also want to add rules to drop packets from son's PC
# which could attack IPCop itself
#
/sbin/iptables -I CUSTOMINPUT -j DROP \
 -m mac --mac-source your:sons:pc:mac:address:here
# Or alternatively
/sbin/iptables -I CUSTOMINPUT -j DROP -s 192.168.2.0/24
# 8<------------------------------------------------------------------

Of course almost everything in the script above would break if you
changed the network addresses that IPCop allocates.  It would be more
useful to modify the IPCOp scripts for a second network which I'd call
YELLOW.  Then you could release the code to the world, and probably
become rich and famous. :) If you do something like

grep GREEN /etc/rc.d/*

and

grep -r GREEN /var/ipcop/*

you'll see where you need to add bits of code and settings to create
another interface and set it up as a kind of GREEN.  Probably. :)

All of this is untested conjecture, you understand.  It's something
I've thought about doing for a while so if you think it's too much
coding let me know and I'll see what I can do.  I wouldn't modify the
Web interface CGI scripts, as (a) it's more work than I can commit to
and (b) as you probably know I don't really use it anyway.

--

73,
Ged.

------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
IPCop-user mailing list
IPCop-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-user
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic