Internet Connection Sharing blocking - how to?

kjagus · January 15, 2006, 9:46am

Hi!
I try to block connection sharing for users from one of th hotspot user profile.
I try to set outgoing-packet-mark in specified hotspot user profile

 2   name="BASIC" keepalive-timeout=10m status-autorefresh=1m 
     shared-users=unlimited rate-limit="32k/256k" incoming-filter="no-p2p" 
     outgoing-filter="no-p2p" incoming-packet-mark="ttl" 
     outgoing-packet-mark="ttl" transparent-proxy=yes open-status-page=always 
     advertise=no

and then set ttl value in mangle rule based on the packet mark set in hotspot.

 0   chain=postrouting out-interface==Klienci-bridge packet-mark=ttl 
     action=change-ttl new-ttl=set:2

But there is no one packet in mangle rule statistics - it seems most likely packets are not marked - so ANY rule based on mark have nothing to do.
Is there any good way to avoid Internet sharing for specified (by hotspot profile) user?

thanks and regards!
kjagus

cibernet · January 23, 2006, 5:58am

kjagus:

Hi!
I try to block connection sharing for users from one of th hotspot user profile.
I try to set outgoing-packet-mark in specified hotspot user profile
 2   name="BASIC" keepalive-timeout=10m status-autorefresh=1m 
     shared-users=unlimited rate-limit="32k/256k" incoming-filter="no-p2p" 
     outgoing-filter="no-p2p" incoming-packet-mark="ttl" 
     outgoing-packet-mark="ttl" transparent-proxy=yes open-status-page=always 
     advertise=no
and then set ttl value in mangle rule based on the packet mark set in hotspot.
 0   chain=postrouting out-interface==Klienci-bridge packet-mark=ttl 
     action=change-ttl new-ttl=set:2
But there is no one packet in mangle rule statistics - it seems most likely packets are not marked - so ANY rule based on mark have nothing to do.
Is there any good way to avoid Internet sharing for specified (by hotspot profile) user?

thanks and regards!
kjagus

You cant block ICS…

maroon · January 23, 2006, 11:02am

serious!!!

no option to stop ICS or NAT on the client side?

if there is any option… how to set it up !

thank u

savage · January 24, 2006, 7:09am

not possible at all…

normis · January 24, 2006, 7:12am

of course not - how can you tell what your client is doing in his local network?

savage · January 24, 2006, 7:19am

exactly my point

Once the packet is properly translated, there is nothing in the packet to identify it as coming from a different network…

driton · January 24, 2006, 10:36am

ttl is decremented

normis · January 24, 2006, 11:47am

“ONLY” if you use ICS ???

nazemg · January 25, 2006, 12:25am

i think the best way around this is to use session limitation.

maroon · January 25, 2006, 6:43am

Nazem you’re Lebanese and you have your work in Iraq? what kind of work?

thanks

sroa · January 27, 2006, 6:03pm

Perhaps the only way could be to limit the number of simoultaneous connections (connlimit) that one user could do (40-60) if your client is sharing with others there would be more connections and they are going to be droped, the only problem is that if the other users use all the connections the ICS computer wont be able to use the internet.

kjagus · January 27, 2006, 11:45pm

In most cases TTL limit is good… until user don’t know how to modify ttl value. I know, that it is no problem for anybody on this forum, but TTL limit IS problem for most of my customers. They are “ordinary people”, not guru

kleber · January 28, 2006, 7:17pm

I block ics on iptables :

I use in linux box :

iptables -I FORWARD -m ttl --ttl-lt 127 -j DROP (block nat in windows)

or

iptables -I FORWARD -m ttl --ttl-lt 63 -j DROP (block nat in linux)

And Mikrotik?

How translate this rules to Mikrotik?

driton · January 28, 2006, 9:04pm

Or drop all packets if ttl is lower than 128 if you`ve got only windows hosts.

sten · January 29, 2006, 10:58am

kjagus:

Hi!
I try to block connection sharing for users from one of th hotspot user profile.
I try to set outgoing-packet-mark in specified hotspot user profile
 2   name="BASIC" keepalive-timeout=10m status-autorefresh=1m 
     shared-users=unlimited rate-limit="32k/256k" incoming-filter="no-p2p" 
     outgoing-filter="no-p2p" incoming-packet-mark="ttl" 
     outgoing-packet-mark="ttl" transparent-proxy=yes open-status-page=always 
     advertise=no
and then set ttl value in mangle rule based on the packet mark set in hotspot.
 0   chain=postrouting out-interface==Klienci-bridge packet-mark=ttl 
     action=change-ttl new-ttl=set:2
But there is no one packet in mangle rule statistics - it seems most likely packets are not marked - so ANY rule based on mark have nothing to do.
Is there any good way to avoid Internet sharing for specified (by hotspot profile) user?

thanks and regards!
kjagus

What is the problem exactly? I think you are on the wrong way to solving it.