A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.comp.home-networking (UK home networking)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.comp.home-networking (UK home networking) (uk.comp.home-networking) Discussion of all aspects of computer networking in the home, regardless of the platforms, software, topologies and protocols used. Examples of topics include recommendations for hardware or suppliers (e.g. NICs and cabling), protocols, servers, and specific network software. Advertising is not allowed.

Redirect outgoing packets on SpeedTouch 580? Or replace it?



 
 
Thread Tools Display Modes
  #1  
Old February 19th 09, 06:07 PM posted to uk.telecom.broadband,uk.comp.home-networking
Stroller
external usenet poster
 
Posts: 8
Default Redirect outgoing packets on SpeedTouch 580? Or replace it?

Hi there,

I need to do some content filtering for a LAN which requires me to:
- allow LAN PC 192.168.1.42 to connect freely to the Internet
- block all outgoing packets with a port 80 destination from other PCs and
redirect them to 192.168.1.42:3128

I'm currently using a Thompson SpeedTouch 580 (Software Release: 4.3.2.9.0)
which appears to have no facility to do this through the web-based
configurator.

I stumbled on the "CLI ReferenceGuide" [1] which initially appears very
comprehensive but which is full of lies. E.G. page 173 (or 171, if you
count the printed page number) suggests the following syntax:
firewall list [hook= {input|sink|forward|source|output}]
and example
firewall list hook=input
Yet attempting this simply gives "Invalid option = hook" when actually
telnetted into the router.

This puts me at a disadvantage because I can't even inspect the existing
configuration & try to learn the syntax from that. Let alone do I trust the
remainder of the manual.

Has anyone else tried doing something like this with a Speedtouch?
If so, I would be grateful for any advice,

Alternatively, can anyone suggest a commodity ADSL router that does allow
such control over outgoing packets?

Many thanks in advance for any suggestions,

Stroller.

(PS: cross-posted as per headers)


[1] http://www.speedtouch.nl/docs/CLIguide_580_427.pdf
  #2  
Old February 19th 09, 07:17 PM posted to uk.telecom.broadband,uk.comp.home-networking
Alex Fraser
external usenet poster
 
Posts: 553
Default Redirect outgoing packets on SpeedTouch 580? Or replace it?

Stroller wrote:
I need to do some content filtering for a LAN which requires me to:
- allow LAN PC 192.168.1.42 to connect freely to the Internet
- block all outgoing packets with a port 80 destination from other PCs and
redirect them to 192.168.1.42:3128


It sounds like you are trying to set up a transparent proxy.

As far as I can see, what you propose would require translation of both
source and destination addresses of packets, and would result in all
connections seen by the proxy apparently coming from the router. (All
packets on the intercepted connection would need to go via the router.)

Both these problems go away if the proxy is on the route from the other
PCs to the destination they think they are connecting to, or if there is
a router between the proxy and other PCs.

[snip]
Alternatively, can anyone suggest a commodity ADSL router that does allow
such control over outgoing packets?


I don't know of any. I suspect you may have more luck finding a router
that can do the content filtering you need.

It might also be worth looking into whether any unofficial firmware for
a commodity router would do the job.

Alex
  #3  
Old February 19th 09, 08:45 PM posted to uk.telecom.broadband,uk.comp.home-networking
Denis McMahon
external usenet poster
 
Posts: 50
Default Redirect outgoing packets on SpeedTouch 580? Or replace it?

On Feb 19, 6:07*pm, Stroller wrote:

I stumbled on the "CLI ReferenceGuide" [1] which initially appears very
comprehensive but which is full of lies. E.G. page 173 (or 171, if you
count the printed page number) suggests the following syntax:
* *firewall list [hook= {input|sink|forward|source|output}]
and example
* firewall list hook=input
Yet attempting this simply gives "Invalid option = hook" when actually
telnetted into the router.


It's not lying, you're misunderstanding it's abilities.

It can't do what you want, there's another doc somewhere that
demonstrates how the terms input/sink/forward etc apply within the
router. They don't apply the way you think they do, and specifically,
it won't re-write lan side packets toi a different port and put them
back on the lan interface.

I don't think you're going to get the functionality you want at the
sort of price you're going to be willing to pay.

What you might be able to do is set up your own dhcp server that gives
out the http proxy information as part of the dhcp request.

Oh, and the proxy port should probably be 8080 too.

Denis McMahon
  #4  
Old February 20th 09, 02:54 AM posted to uk.telecom.broadband,uk.comp.home-networking
Rob Morley
external usenet poster
 
Posts: 1,379
Default Redirect outgoing packets on SpeedTouch 580? Or replace it?

On Thu, 19 Feb 2009 18:07:40 +0000
Stroller wrote:

Hi there,

I need to do some content filtering for a LAN which requires me to:
- allow LAN PC 192.168.1.42 to connect freely to the Internet
- block all outgoing packets with a port 80 destination from other
PCs and redirect them to 192.168.1.42:3128


Alternatively, can anyone suggest a commodity ADSL router that does
allow such control over outgoing packets?

Why not just run routing software on the web proxy?

  #5  
Old February 20th 09, 07:15 AM posted to uk.telecom.broadband,uk.comp.home-networking
Stroller
external usenet poster
 
Posts: 8
Default Redirect outgoing packets on SpeedTouch 580? Or replace it?

Alex Fraser wrote:

Stroller wrote:
I need to do some content filtering for a LAN which requires me to:
- allow LAN PC 192.168.1.42 to connect freely to the Internet
- block all outgoing packets with a port 80 destination from other PCs
and redirect them to 192.168.1.42:3128


It sounds like you are trying to set up a transparent proxy.

As far as I can see, what you propose would require translation of both
source and destination addresses of packets, and would result in all
connections seen by the proxy apparently coming from the router. (All
packets on the intercepted connection would need to go via the router.)


Unless I am misreading it, it is implied by the Squid documentation that
this approach works.

http://wiki.squid-cache.org/ConfigEx...cept/LinuxDnat states that:

We have had no successful reports of people using DNAT at the gateway
machine to direct traffic at a separate squid box. We have had several
good reports about ../IptablesPolicyRoute for those setups.

Going to that page
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
gives specifics on using a Linux-based router to redirect to the proxy, but
I would prefer to use the Speedtouch if possible.

Both these problems go away if the proxy is on the route from the other
PCs to the destination they think they are connecting to, or if there is
a router between the proxy and other PCs.


Yes, I am aware of this approach. But I don't really like that the PC
becomes a single point of physical failure.

Stroller.

  #6  
Old February 20th 09, 07:34 AM posted to uk.telecom.broadband,uk.comp.home-networking
Stroller
external usenet poster
 
Posts: 8
Default Redirect outgoing packets on SpeedTouch 580? Or replace it?

Denis McMahon wrote:

On Feb 19, 6:07*pm, Stroller wrote:

I stumbled on the "CLI ReferenceGuide" [1] which initially appears very
comprehensive but which is full of lies. E.G. page 173 (or 171, if you
count the printed page number) suggests the following syntax:
firewall list [hook= {input|sink|forward|source|output}]
and example
firewall list hook=input
Yet attempting this simply gives "Invalid option = hook" when actually
telnetted into the router.


It's not lying, you're misunderstanding it's abilities.


You're misunderstanding that part of my post.

I was unclear as to whether it would be possible to achieve what I require,
so I initially tried just listing the existing firewall rules to try &
figure out how they're configured. At this stage I wasn't trying to make
any changes. The manual states that the command `firewall list` lists
firewall rules. It states that `firewall list hook=input` works, but it
doesn't.

I characterise this as "lying", although the manual appears to be for a
different version of the firmware than that I have installed. The manual
appears to be for an earlier version of the firmware (see cover of linked
PDF) and I can't figure they reduced the functionality in the next release,
so I can't really work out why this is wrong.

It can't do what you want, there's another doc somewhere that

demonstrates how the terms input/sink/forward etc apply within the
router. They don't apply the way you think they do, and specifically,
it won't re-write lan side packets to a different port and put them
back on the lan interface.


Ok, thanks. I'll look at other approaches.

What you might be able to do is set up your own dhcp server that gives
out the http proxy information as part of the dhcp request.


Yeah, I've already looked at this & am fairly comfortable with that. But
this is no good if the users override the browser's proxy settings
manually. If I could figure out at least how to block outgoing packets
destined to port 80, except for those from machine 192.168.1.42, then I
would be quite happy.

Oh, and the proxy port should probably be 8080 too.


Well, this is hardly critical. For some reason Squid defaults to using port
3128 (or thereabouts).

Stroller.

  #7  
Old February 20th 09, 07:38 AM posted to uk.telecom.broadband,uk.comp.home-networking
Stroller
external usenet poster
 
Posts: 8
Default Redirect outgoing packets on SpeedTouch 580? Or replace it?

Alex Fraser wrote:

Stroller wrote:
I need to do some content filtering for a LAN which requires me to:
- allow LAN PC 192.168.1.42 to connect freely to the Internet
- block all outgoing packets with a port 80 destination from other PCs
and redirect them to 192.168.1.42:3128


It sounds like you are trying to set up a transparent proxy.

As far as I can see, what you propose would require translation of both
source and destination addresses of packets, and would result in all
connections seen by the proxy apparently coming from the router. (All
packets on the intercepted connection would need to go via the router.)


Unless I am misreading it, it is implied by the Squid documentation that
this approach works.

http://wiki.squid-cache.org/ConfigEx...cept/LinuxDnat states that:

* We have had no successful reports of people using DNAT at the gateway
* machine to direct traffic at a separate squid box. We have had several
* good reports about ../IptablesPolicyRoute for those setups.

Going to that page
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
gives specifics on using a Linux-based router to redirect to the proxy.I
would prefer to use the Speedtouch if possible.

Both these problems go away if the proxy is on the route from the other
PCs to the destination they think they are connecting to, or if there is
a router between the proxy and other PCs.


Yes, I am aware of this approach. But I don't really like that the PC
becomes a single point of failure.

Stroller.
  #8  
Old February 20th 09, 10:04 AM posted to uk.telecom.broadband,uk.comp.home-networking
The Natural Philosopher
external usenet poster
 
Posts: 1,000
Default Redirect outgoing packets on SpeedTouch 580? Or replace it?

Rob Morley wrote:
On Thu, 19 Feb 2009 18:07:40 +0000
Stroller wrote:

Hi there,

I need to do some content filtering for a LAN which requires me to:
- allow LAN PC 192.168.1.42 to connect freely to the Internet
- block all outgoing packets with a port 80 destination from other
PCs and redirect them to 192.168.1.42:3128


That's a weird and unusual requirement that will not normally be possible.

Alternatively, can anyone suggest a commodity ADSL router that does
allow such control over outgoing packets?

Why not just run routing software on the web proxy?


Dont think that works.

  #9  
Old February 20th 09, 12:39 PM posted to uk.telecom.broadband,uk.comp.home-networking
Rob Morley
external usenet poster
 
Posts: 1,379
Default Redirect outgoing packets on SpeedTouch 580? Or replace it?

On Fri, 20 Feb 2009 10:04:46 +0000
The Natural Philosopher wrote:

Rob Morley wrote:
On Thu, 19 Feb 2009 18:07:40 +0000
Stroller wrote:

Hi there,

I need to do some content filtering for a LAN which requires me to:
- allow LAN PC 192.168.1.42 to connect freely to the Internet
- block all outgoing packets with a port 80 destination from other
PCs and redirect them to 192.168.1.42:3128


That's a weird and unusual requirement that will not normally be
possible.

Alternatively, can anyone suggest a commodity ADSL router that does
allow such control over outgoing packets?

Why not just run routing software on the web proxy?


Dont think that works.

Why not? If all traffic is going through the proxy it can pick off
whatever packets it wants and reroute them.

  #10  
Old February 20th 09, 12:55 PM posted to uk.telecom.broadband,uk.comp.home-networking
The Natural Philosopher
external usenet poster
 
Posts: 1,000
Default Redirect outgoing packets on SpeedTouch 580? Or replace it?

Rob Morley wrote:
On Fri, 20 Feb 2009 10:04:46 +0000
The Natural Philosopher wrote:

Rob Morley wrote:
On Thu, 19 Feb 2009 18:07:40 +0000
Stroller wrote:

Hi there,

I need to do some content filtering for a LAN which requires me to:
- allow LAN PC 192.168.1.42 to connect freely to the Internet
- block all outgoing packets with a port 80 destination from other
PCs and redirect them to 192.168.1.42:3128

That's a weird and unusual requirement that will not normally be
possible.

Alternatively, can anyone suggest a commodity ADSL router that does
allow such control over outgoing packets?

Why not just run routing software on the web proxy?

Dont think that works.

Why not? If all traffic is going through the proxy it can pick off
whatever packets it wants and reroute them.

Not sure that proxying rules exist to do that on most proxies though.

And you need to set up the proxy in the first place, and force users to
use it..thats not too hard, but it does create some annoying side effects.
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
help for newbie , wanting to use a 0845 number then redirect to my mobile via voip or similar ...... Dave T uk.telecom.voip (UK VOIP) 27 November 27th 07 09:10 AM
Packets not being ACKd Tommy uk.telecom.broadband (UK broadband) 0 November 19th 06 10:58 AM
With what to replace a Speedtouch 330 ??? Hugh uk.telecom.broadband (UK broadband) 9 December 9th 04 11:20 PM
Redirect PlusNet Default Email Kimball K Kinnison uk.telecom.broadband (UK broadband) 4 December 20th 03 05:02 PM
Help! Packets sent & received: 0 & 0 Anon uk.comp.home-networking (UK home networking) 2 October 9th 03 05:11 PM


All times are GMT +1. The time now is 03:48 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.