Simple shut-off scripting

I had a client today who is doing some manual things as they are using Quickbooks for billing and such.  One thing they kind of struggle with is turning off people for non-payment and such.  Their current method is adding a que and throttling someone to a low-speed to make them call.  Their network is a routed network utilizing DHCP to the CPE at the customer.  Everything is in router mode and they control the addressing of the units via DHCP reservations.  So how do we make this better without adding radius and all kinds of stuff into the network?

First we set up a web-proxy

/ip proxy
set enabled=yes port=8089

/ip proxy access
add dst-host=mtin.net dst-port=80
add dst-host=*.mtin.net dst-port=80
add dst-port=53
add action=deny redirect-to=www.mtin.net

What the above code does is says anyone coming into the proxy is only allowed to go to mtin.net (used our domain as an example), use port 53 (DNS), and anything else gets redirected to www.mtin.net. We chose port 53 because they are in the process of cleaning up some of the radios and such which are using 8.8.8.8 and other DNS servers.

Next we set up a nat rule

/ip firewall nat
add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address-list=\
SHUTOFF to-ports=8089

This nat rule says anyone making a port 80 request coming from our SHUTOFF address-list gets redirected to port 8089 (our proxy port setup earlier).

Our third step is to setup our address list. this is very straightforward.  Just modify and add users to this list when they are to be turned off.

/ip firewall address-list
add address=10.20.0.192 list=SHUTOFF

Lastly, we add a filter rule which denies the SHUTOFF folks from using anything except port 53 and port 80.  We do this because we can’t proxy port 443 and other SSL traffic. If folks go to a HTTPS site it simply fails.  This is a drawback of using a web-proxy.

/ip firewall filter
add action=drop chain=forward dst-port=!53,80 protocol=tcp src-address-list=\
SHUTOFF

If you have an SSL payment gateway you can modify your filter rules to allow traffic to it. This is just one quick and dirty way of letting customers know they have been turned off.

Mac GeekLet for Network Info

As a network person running a Mac I find it hand to know what IP my various connections have, in addition to some other info.  In order to do this, I use a program called Geektool . Once you have GeekTool up and going you can add the following code into a new Geeklet.

!/bin/bash
varSSID1=`system_profiler SPAirPortDataType | grep -A 2 -e "Current Network Information:" | tr '\n' ' ' | tr ':' ' ' | awk '{print $4}'`
varCHAN1=`system_profiler SPAirPortDataType | grep -e "Channel: " | awk '{print $2}'`
varEXTERNAL1=`curl --connect-timeout 5 -s http://checkip.dyndns.org/ | grep "Current IP Address" | awk '{print $6}' | cut -f 1 -d "<"`
varEXTERNALv6=`curl --connect-timeout 5 -s http://checkipv6.dyndns.org/ | grep "Current IP Address" | awk '{print $6}' | cut -f 1 -d "<"`
varWIRED1=`ifconfig en0 | grep "inet " | grep -v 127.0.0.1 | awk '{print $2}'`
varWIREDv6=`ifconfig en0 | grep "inet6 " | grep -v 127.0.0.1 | awk '{print $2}'`
varWIRELESS1=`ifconfig en1 | grep "inet " | grep -v 127.0.0.1 | awk '{print $2}'`
varWIRELESSv6=`ifconfig en1 | grep "inet6 " | grep -v 127.0.0.1 | awk '{print $2}'`
varSSL1=`ifconfig jnc0 | grep "inet " | grep -v 127.0.0.1 | awk '{print $2}'`

if [ “$varEXTERNAL1” != “” ]
then
echo “External : $varEXTERNAL1”
else
echo “External : INACTIVE”
fi

if [ “$varEXTERNALv6” != “” ]
then
echo “External : $varEXTERNALv6”
else
echo “External : INACTIVE”
fi

if [ “$varWIRED1” != “” ]
then
echo “Wired : $varWIRED1”
else
echo “Wired : INACTIVE”
fi

if [ “$varWIREDv6” != “” ]
then
echo “WiredV6 : $varWIREDv6”
else
echo “WiredV6 : INACTIVE”
fi

if [ “$varWIRELESS1” != “” ]
then
echo “AirPort : $varWIRELESS1 SSID: $varSSID1”
else
echo “Airport : INACTIVE”
fi

if [ “$varWIRELESSv6” != “” ]
then
echo “AirPortV6 : $varWIRELESSv6”
else
echo “AirportV6 : INACTIVE”
fi

geektool

As you can see in the above screenshot it displays IP addresses (both IPv4 IPv6),external IP, and the Wireless SSID.