[tech] WAIX and Internet2 access working

Grahame Bowland grahame at angrygoats.net
Thu Mar 24 00:39:55 WST 2005


Hi guys

I've set up code to generate a comprehensive list of all networks that
should be free for a given 24 hour period. Before I go any further, I'd
just like to explicitly state that this could break, and it could cost
UCC money. So we need to make sure we don't mess up and keep an eye on
things for a few days. If something goes wrong, blame me with my UCC hat
on, not me with my UCS hat on :)

There is a large iptables chain FREENETS on madako. This allows networks 
to be matched based on whether they are reached via Grangenet or the
various non-byte charged bits of AARNET. I've set things up so that at
boot time, hosts that are limited to FREENETS have:
  access to all of FREENETS (-A FORWARD -d 130.95.13.18 -j FREENETS)
  no access to anything else (-A FORWARD -d 130.95.13.18 -j DROP)

FREENETS is initialised to just 130.95/16 at boot time.

FREENETS is updated overnight via script which can be found in root's
crontab on madako. AARNET update their information at 8:30pm, I update
UCS's information at 9pm to be safe. UCC retrieves the processed data
at 9:05pm.

I've modified the AARNET-IP-IN access list on villa so that mussel is
unfiltered. All filtering has to be done on madako, and if madako
decides to let mussel get to charged hosts that's just too bad..
but it seems to be fine now.

At the moment everything seems fine. I'd appreciate other people
checking over what I've done. There are approximately 20,000 prefixes
reachable from mussel now, with no theoretical charge to UCC :-)

mussel::~ $ ping www.gnome.org
PING www.gnome.org (12.107.209.247) 56(84) bytes of data.
64 bytes from window.gnome.org (12.107.209.247): icmp_seq=1
64 bytes from window.gnome.org (12.107.209.247): icmp_seq=2

Anyway, test it out and let me know how you go.

It would be cool if someone could write some stuff to check if charged
hosts are reachable, and bleep loudly if they are. This might save our
bacon sometime in the future :)

Granting further hosts access to the FREENETS prefixes requires a change
on the UCS router, so give me a poke if that needs doing :)

We know things are probably free for 24 hours because AARNET base their
billing for a 24 hour period off the same data we're generating our
iptables chain from. It's not likely things changing during the day
within AARNET will cause a problem.




More information about the tech mailing list