Just for fun

This will show a fake “you’re under investigation” web page, when someone tries to visit a porn-site or other site specified in stop_fw/redirect_sites.php. The internet is then blocked for some period of time, specified in stop_www/index.php, instead redirecting to the page/ip given in stop_apache.

Start by running stop_fw/redirect_sites.php once. Then a crontab-job should be set up to run every minute, adding- or deleting mac-addresses in the iptables.

To entirely remove the effects of this scrip, uncomment the entry in the crontab and restart the firewall.

cd /etc/firewall/
/etc/init.d/firewall restart

Decrypting dbconnect.inc.php

dbconnect.inc.php contains usernames and passwords for connecting to the MySQL databases on Loki and Dragon and thus are encrypted using git-crypt. They are encrypted using PGP and the nu@tudentergaarden.dk public key.

To decrypt, the corresponding private key is needed. This key is already installed on the root account on Dragon. The only thing needed after git clone on Dragon is

git-crypt unlock

The pass phrase is the same as the one for the root user account.

Install

In short, logon to Dragon(the firewall) and do the following (remember that you need to give the full path, when making the soft links.)

ssh user@dragon
git clone git@github.com:Studentergaarden/stop.git
# or maybe
git clone https://github.com/Studentergaarden/stop.git
cd stop
git-crypt unlock
ln -s /full/path/stop_www /var/misc_www/stop
ln -s /full/path/stop_apache /etc/apache2/sites-available/stop
ln -s /full/path/stop_fw /etc/firewall/stop
ifconfig eth2:0 172.16.0.10
ifconfig eth2:1 172.16.0.11
a2ensite stop
apache2ctl -k graceful
php /etc/firewall/stop/redirect_sites.php

Firewall

Copy( or make symbolic link) stop_fw to /etc/firewall/stop and add the following to the crontab file /etc/firewall/crontab

* *   * * *   root   /usr/bin/nice /etc/firewall/stop/unblock_macs.php          # every minute

You can see the current iptables rules with iptables-save | less. The following will redirect mac-address 00:1C:25:14:14:9D to 172.16.0.12.

-A PREROUTING -p tcp -m mac --mac-source 00:1C:25:14:14:9D -j DNAT --to-destination 172.16.0.10

and is achieved by

iptables -t nat -I PREROUTING -p tcp -m mac --mac-source 00:1c:25:14:14:9d  -j DNAT --to-destination 172.16.0.10

To remove it, type the following

iptables -t nat -D PREROUTING -p tcp -m mac --mac-source 00:1c:25:14:14:9d  -j DNAT --to-destination 172.16.0.10

web

Copy stop_www to /var/misc_www/stop and stop_apache to /etc/apache2/sites-available/stop. Add the file to apache, a2ensite stop and restart the service, apache2ctl -k graceful.

Now, only an virtual ip-address needs to be created.

Create virtual ip-address

Temporary

ifconfig eth2:0 172.16.0.10
ifconfig eth2:1 172.16.0.11

The above command will create a new virtual network interface based on original eth2 physical interface. The only most important condition for creating the virtual network interface is the physical network interface, as in our case eth2 must exists.

Permanent

Add to /etc/network/interfaces

iface eth2:0 inet static
address 123.123.22.22
netmask 255.255.0.0
broadcast 172.16.255.255

Restart the network(or add the changes temporary) /etc/init.d/networking restart