Re: IPTABLES: Egress packet/port filtering

From: Shane R. Spencer <shane@tdxnet.com>
Date: Tue Jun 06 2006 - 11:53:15 AKDT

On Tue, 2006-06-06 at 11:46 -0800, Damien Hull wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Shane R. Spencer wrote:
> > Yo..
> >
> > So, I operate a few hotspots and am having some wonderful issues with
> > some very hostile customers staying at a hotel we provide wireless
> > Internet access for. It is free and we have public IP's for all
> > wireless clients staying at the hotel, which I am starting to think was
> > a stupid idea, however older VPN implementations almost required it in
> > order to keep support requests to a minimal.
> >
> > I am hoping to block all but pop/imap/smtp(filtered via
> > clamsmtp)/http(transparent squid)/VPN's and drop everything else. I
> > found a few helpful links including this one:
> >
> > http://www.enterprisenetworkingplanet.com/netsysm/article.php/2168251
> >
> > At this point I just need a little advice on the do's and dont's of this
> > kind of situation.
> >
> > Should I block *all* traffic ingress forwarded traffic if I don't want
> > folks hosting web servers during their long stay at the hotel, not to
> > mention p2p traffic.
> >
> > Should I block all egress high ports 1024:65535 unless they are somehow
> > related to traffic, which I am unsure of how that works.
> >
> > Shane
> >
> > ---------
> > To unsubscribe, send email to <aklug-request@aklug.org>
> > with 'unsubscribe' in the message body.
> >
> >
> >
> Can you switch to privet IP space?
>
> Most laptop users will be running Windows XP. Lets keep it simple and
> say they use PPTP for the VPN connection. That's port 1723. Just setup a
> network with privet IP space and allow port 1723 access.
>
> Got the XP info from this website.
> http://wireless.gumph.org/content/6/4/014-howto-xp-pptp-vpn-testing.html
>
>
> - --
> You can get my public PGP key at https://keyserver.pgp.com
>
> Digital Overload
> http://www.digitaloverload.net
>
> Keep your data safe by doing regular backups. At Digital Overload we use
> a combination of DVD and hard drive backups. For off site storage we use
> a safe-deposit box at the bank. All backups are encrypted.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFEhduh+rNhalK/8UURAv2WAJ91pqgQ8oayrE8fhaZYcQ7ZwNxZHACfVOWj
> 0hkYyfyv8oYRhmhhLcM5qVM=
> =ixkQ
> -----END PGP SIGNATURE-----

Thats been in the front of my mind.. I should just switch to private
IP's. Offering public IP's has been a difficult task since inbound
becomes a problem, I could test for problems by enabling NAT with it how
it is now and see how many things break for the long-staying customers
at the hotel before I switch around everything. As soon as I switch to
private IP's 50 people will call the front desk saying their wireless
signal is weak (which obviously isn't the problem) - trying to avoid a
mass headache.

Thanks

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Jun 6 11:53:35 2006

This archive was generated by hypermail 2.1.8 : Tue Jun 06 2006 - 11:53:35 AKDT