1

I assist in running a public WiFi network, and we assign each user an internal IP address on the 10.0.0.0/8 subnet. We sometimes get emails about abuse of network services, but because of the nature of NAT we're never able to figure out what user was abusing that service.

I know of two things that might help:

  • X-Forwarded-For headers on outgoing HTTP connections (but that doesn't handle anything other than HTTP)
  • Ident, which (correct me if I'm wrong) returns a string identifying a user based on a local port and a remote port

I think setting up an ident daemon would make sense but I don't know of any ident daemons that base identification strings on the local IP address behind a NAT.

Is there an ident daemon that's the right way to go here? Or should I be thinking about other ways to allow abused hosts to help us with abuse queries?

Edit: I should probably mention that we are running a captive portal, so we do know what MAC addresses are tied to what IP addresses. This question is about giving abused services the ability to tell us which of our users behind the NAT was causing problems for them.

ianweller
  • 156
  • 5

1 Answers1

3

You should rely on your firewall's logs to track outgoing Internet connections and map them to the internal IP addresses which are originating them. What router/firewall are you using for your NAT? Even a Linux box running IPTABLES can provide this kind of logging.

Another option would be setting up a proxy, forcing your users to use it and then use its logs; but this of course would apply only to web traffic.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • We're using Shorewall (so, effectively iptables). I'll take a look at its logging functionality. – ianweller Dec 25 '11 at 02:06
  • 1
    You can add a log level to any rules. If you are getting abuse claims, I would consider a tighter outgoing policy. – BillThor Dec 26 '11 at 04:11