1 |
Am Sun, 12 Mar 2017 03:18:59 -0400 |
2 |
schrieb "Walter Dnes" <waltdnes@××××××××.org>: |
3 |
|
4 |
> Starting a separate topic, rather than hijack the main thread... |
5 |
> |
6 |
> On Fri, Mar 10, 2017 at 01:50:26PM -0600, Corbin Bird wrote |
7 |
> > |
8 |
> > 6 # : ISP is starting to filter customers web access. The ISP is |
9 |
> > deciding what sites customers are allowed to see. ( look up the |
10 |
> > practice called "ransom" ). |
11 |
> |
12 |
> Does this consist of grabbing outbound traffic to port 53? If so, I |
13 |
> wonder if the following is possible... |
14 |
> |
15 |
> * Can a POTS dialup or a wifi connection co-exist with a broadband |
16 |
> connection? It would make the network config and route config more |
17 |
> complex. |
18 |
|
19 |
Complex? Not really. Just put static DNS IPs into your resolver config, |
20 |
and add a static route for these destinations: |
21 |
|
22 |
for tunnel devices like ppp: |
23 |
# route add 8.8.4.4 dev ppp-interface |
24 |
|
25 |
or |
26 |
|
27 |
for LAN router: |
28 |
# route add 8.8.4.4 gw ip-of-your-dialup-router |
29 |
|
30 |
And then do not let the dialup line set a default route. |
31 |
|
32 |
> * If yes, can iptables be used to redirect only outbound-to-port-53 |
33 |
> traffic to the dialup/wifi connection, with everything else going to |
34 |
> the broadband connection? |
35 |
|
36 |
You could but this becomes more complicated. I think this would have to |
37 |
go into the pre-routing chain. But I don't recommend fiddling around |
38 |
with that. |
39 |
|
40 |
> * Another option, if you know the alternate DNS server address in |
41 |
> advance, set up routing of the /32 (for the alternate DNS server) |
42 |
> to ppp0 or wlan0 with higher priority than the default route. This |
43 |
> doesn't require any iptables magic. |
44 |
|
45 |
As stated above... And you don't need to set higher priority. The best |
46 |
matching rules are always tried before routing rules with lower |
47 |
matching destinations, that means /32 destination rules are matched |
48 |
before /24 destination rules, and so forth. The default gateway is |
49 |
matching IP destination 0/0. The priority is only considered when |
50 |
multiple equally matching rules are found. Just remove the default |
51 |
route via the ppp route to ensure nothing else will go over the slow |
52 |
link. |
53 |
|
54 |
> * Can the standard linux network stack handle this properly, and use |
55 |
> incoming DNS responses from the dialup/wifi connection for the IP |
56 |
> addresses of websites, etc to be accessed via broadband? |
57 |
|
58 |
I don't see problems here. DNS is one request, HTTP is another. As long |
59 |
as your broadband DNS doesn't resolve to some proxy IPs all should be |
60 |
fine. |
61 |
|
62 |
> DNS traffic is low volume, usually fitting into 1 packet. So it |
63 |
> would be feasible to divert DNS requests to a lower-speed connection. |
64 |
> The broadband ISP would handle all the highspeed website, etc, traffic |
65 |
> but it would not see any DNS traffic, and would not be able to |
66 |
> intercept it. |
67 |
|
68 |
Yes. |
69 |
|
70 |
|
71 |
-- |
72 |
Regards, |
73 |
Kai |
74 |
|
75 |
Replies to list-only preferred. |