Hi. I currently offer free wifi access to customers in my pub and I am trying to implement a layer 7 filter to block P2P filesharing. The network looks like this (router_wifi does NAT): router (10.0.1.1) --> debian-box (10.0.1.2) --> (10.0.1.5) router_wifi (10.0.2.1) -> clients (10.0.2.x) My plan is to use debian-box to take care of the P2P blocking: I compiled ipp2p (tcp layer7 packet analyzer) but I can't figure out how to make the machine act as a gateway for the wifi clients. All the examples I found online refer to the situation where the computer has two network interfaces, but I only have eth0. This is what I got so far: Code: # Interface connected to Internet INTERNET="eth0" # Address connected to LAN LOCAL="10.0.0.0/16" # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Enable Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # block P2P iptables -A FORWARD -m ipp2p --ipp2p -j DROP iptables -A INPUT -m ipp2p --ipp2p -j DROP iptables -A OUTPUT -m ipp2p --ipp2p -j DROP # set this system as a router for Rest of LAN iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE iptables -A FORWARD -s $LOCAL -j ACCEPT # unlimited access to LAN iptables -A INPUT -s $LOCAL -j ACCEPT iptables -A OUTPUT -s $LOCAL -j ACCEPT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP
I believe you'd have to add a 2nd lan card and connect the wifi router to it. If your router has a firewall, can't you just use it to block the p2p ports? In case you decide to charge for access, you can checkout Zonerider.
