This will block a corridors internet-access for two minutes every hour(timing can be changed in karsten_www/index.php). When the internet is blocked, people are redirected to http://172.16.0.12/. This can be changed in karsten_fw/block_macs.php and karsten_fw/unblock_macs.php.

Start by running karsten_fw/block_macs.php once (the corridor to block can be changed in that file accordingly). Then a crontab-job should be set up to run every minute, adding- or deleting mac-addresses in the iptables.

To entirely remove the effects of this scrip, uncomment the entry in the crontab and restart the firewall.

cd /etc/firewall/
/etc/init.d/firewall restart

dbconnect.inc.php contains usernames and passwords for connecting to the MySQL databases on Loki and Dragon and thus are encrypted using git-crypt. They are encrypted using PGP and the nu@tudentergaarden.dk public key.

To decrypt, the corresponding private key is needed. This key is already installed on the root account on Dragon. The only thing needed after git clone on Dragon is

git-crypt unlock

The passphrase is the same as the one for the root user account.

In short, logon to Dragon(the firewall) and do the following (remember that you need to give the full path, when making the soft links.)

ssh user@dragon
git clone git@github.com:Studentergaarden/karsten.git
# or maybe
git clone https://github.com/Studentergaarden/karsten.git
cd karsten
git-crypt unlock
ln -s /full/path/karsten_www /var/misc_www/karsten
ln -s /full/path/karsten_apache /etc/apache2/sites-available/karsten
ln -s /full/path/karsten_fw /etc/firewall/karsten
ifconfig eth2:0 172.16.0.12
a2ensite karsten
apache2ctl -k graceful
php /etc/firewall/karsten/block_macs.php

Copy( or make symbolic link) karsten_fw to /etc/firewall/karsten and add the following to the crontab file /etc/firewall/crontab

* *   * * *   root   /usr/bin/nice /etc/firewall/karsten/unblock_macs.php          # every minute

You can see the current iptables rules with iptables-save | less. The following will redirect mac-address 00:1C:25:14:14:9D to 172.16.0.12.

-A PREROUTING -p tcp -m mac --mac-source 00:1C:25:14:14:9D -j DNAT --to-destination 172.16.0.12

and is achieved by

iptables -t nat -I PREROUTING -p tcp -m mac --mac-source 00:1c:25:14:14:9d  -j DNAT --to-destination 172.16.0.12

To remove it, type the following

iptables -t nat -D PREROUTING -p tcp -m mac --mac-source 00:1c:25:14:14:9d  -j DNAT --to-destination 172.16.0.12

Copy karsten_www to /var/misc_www/karsten and karsten_apache to /etc/apache2/sites-available/karsten. Add the file to apache, a2ensite karsten and restart the service, apache2ctl -k graceful.

Now, only an virtual ip-address needs to be created.

$ ifconfig eth2:0 172.16.0.12

The above command will create a new virtual network interface based on original eth2 physical interface. The only most important condition for creating the virtual network interface is the physical network interface, as in our case eth2 must exists.

Add to /etc/network/interfaces

iface eth2:0 inet static
address 123.123.22.22
netmask 255.255.0.0
broadcast 172.16.255.255

Restart the network(or add the changes temporary) /etc/init.d/networking restart