PDA

Bekijk de volledige versie : Where's the configuration stored?


oyvindk
03-06-2005, 16:35
Hi,

I was wondering if there is an overview of where the various settings (or built-in scripts) are stored in the 500g?

For instance, I enabled wireless access control to reject one specific MAC-address, but in which file (if any) is this setting stored? I assumed that it would be added to iptables, but it wasn't.

Is there an easy way of "tunneling" specific computers to only have access to the internet, and not to the local network? I assume that iptables is the way to go, but to which chains do I add the rules? (I do know how to use the post-firewall script to add rules).

Regards,
-Øyvind
Oleg
03-06-2005, 20:08
Wireless MAC address filtering is done by wireless driver itself.
The settings are get stored in the flash area called NVRAM. Use nvram command to view it.
barsju
03-06-2005, 21:33
That would be the FORWARD chain. You should try this tutorial on iptables:
http://iptables-tutorial.frozentux.net/iptables-tutorial.htm
Spesifically this part:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES

It's quite an extensive but very good tutorial.

You need rules that looks something like

iptables -A FORWARD -s 192.168.1.x -d 192.168.1.0/255.255.255.0 -j DROP

I.e. packets from computer 192.168.1.x to local network addresses shoul be dropped. I guess you can even spesify the oposite, form lan to computer to be dropped.

Instead of using the built in wlan mac access control you can make it your self with iptables. I use this script for that:

#!/bin/sh
mac=""
for ip in `cat /usr/local/etc/ethers`
do
if [ `expr substr $ip 1 7` = "192.168" ] ; then
#echo $ip
iptables -A FORWARD -s $ip -m mac --mac-source $mac -j ACCEPT
else
mac=$ip
fi
done
iptables -A FORWARD -j DROP
All mac/ip pairs in /usr/local/etc/ethers are copied to /etc/ethers.

B.
PS:Heia Norge!
oyvindk
03-06-2005, 22:41
Thanks, both of you!

Barsju, the script you mentioned, is that also part of the post-firewall script?
Besides, there is no /usr/local/etc/ethers file on my router, do you create that manually?

And I agree:
Heia Norge! :-)
barsju
03-06-2005, 23:33
Barsju, the script you mentioned, is that also part of the post-firewall script?

Well I have it as a separate script that I call from post-firewall.


Besides, there is no /usr/local/etc/ethers file on my router, do you create that manually?

Yepp. Check out /etc/ethers to see what it should look like. What ever you write in /usr/local/etc/ethers is copied to /etc/ethers. (Same with /etc/hosts by the way.. if you want to name your hosts, or use it for filtering.)

B