[Linux] iptables, time restrictions

Shovel

Part of the furniture
Joined
Dec 22, 2003
Messages
1,350
Ello all:

I want to do something rather clever.. hopefully those still reading and not run for cover at a patented "Shovel Linux Adventure" will be able to help.

Linux Router (Smoothwall 2, for reference sake), running Squid proxy (transparently) and using iptables for firewall/filtering tasks.

Now, ACLs for squid can be set to only allow access for a specific group during particular hours of the day. I'm going to set up such a rule to keep my brothers off the net after 10:30pm (they're still on now and should have been in bed ages ago... ahem). However, this will only block web cache traffic. To block MSN Messenger I need to apply similar restrictions in iptables.

Does anyone know whether it's possible to do this directly in the chain? I'm currently thinking that maybe I'll need to have a cron job kick in daily to modify the chains?

I've been looking for a good reference on iptables, but can't really find one. Squid documentation is excellent (but then, it seems to have a BSD version, so naturally documentation is good ;))

Am I on the right track here? Or is there some other part of the system that will do this for me with half as much effort?

Thanks for any tips :)

Ben
 

pixie

Fledgling Freddie
Joined
Dec 24, 2003
Messages
5
just have 2 cron jobs add / remove rules as needed

going to be a lot easier :)
 

Gurnox

One of Freddy's beloved
Joined
Dec 28, 2003
Messages
527
pixie said:
just have 2 cron jobs add / remove rules as needed

going to be a lot easier :)
Agreed. That would seem to be the most logical way of doing things.
 

sibanac

Fledgling Freddie
Joined
Dec 19, 2003
Messages
824
There might be a nicer sollution.

MSN uses http over port 80 if default port (1863) is blocked.

So if you block port 1863 with iptables, msn will switch to HTTP over port 80, and thus be passing thru squid.

ways to block msn on squid are

acl msnmessenger url_regex -i gateway.dll
http_access deny msnmessenger

or
acl msn src 64.4.13.0/24
http_access deny msn

there might be other ways, but would have to look at msn traffic to figure them out :)
 

Shovel

Part of the furniture
Joined
Dec 22, 2003
Messages
1,350
Oooh, thanks for that. I need to work out if HTTP + MSN blocking will be sufficient, or if I need to account for blocking other stuff too. iptables is actually one of the few Linux internals that I know how to use* so I'm happy to have that played with through Cron jobs. I break individual machines into separate chains for things like this, so keeping track of rules isn't too hard to do :) (*at least functionally, don't ask me to secure your corperate network for God's sake)

I've had quite a few ideas thrown at me now - so I've got choices coming out of my ears :)

The most elegant is actually a mod for iptables that adds time fields - but that requires recompilation and is really a long way out of my depth atow. I'm going to get back into Linux next term, play with Gentoo I think - since I have a Gentoo using nocturnal flatmate who'll provide me with tech support to get it working :)

Thank you for the feedback on this - it's much appreciated. I think cron jobs are going to be the best bet. The router gets switched off when I go to bed, but never gets restarted in between, so while I'll put a "daytime" cron in for completeness, hopefully the only one I'll need is the restrictions.
 

sibanac

Fledgling Freddie
Joined
Dec 19, 2003
Messages
824
Be carefull if you use cron that the initali state of the firewall is the right one.
Say you want to shut down your bro's msn at 10pm
you got one cron job going in at 9am to open msn and one closing at 10pm
now for some reasone the router gets rebooted and comes up at 10.01 pm the cron to close the connection will not be run unless you check localtime in the firewall startup script and use that to check the inital desired state.

Been thinking about it some more and if you block the msn port on iptables, msn will default to use http over port 80 as backup protocol and thus be shut down when the rest of your bro's http connections get blocked on the squid.
This takes only one line added to the iptabels to work, no change needed on the squid side.
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,075,707
Shovel said:
Oooh, thanks for that. I need to work out if HTTP + MSN blocking will be sufficient, or if I need to account for blocking other stuff too. iptables is actually one of the few Linux internals that I know how to use* so I'm happy to have that played with through Cron jobs. I break individual machines into separate chains for things like this, so keeping track of rules isn't too hard to do :) (*at least functionally, don't ask me to secure your corperate network for God's sake)

I've had quite a few ideas thrown at me now - so I've got choices coming out of my ears :)

The most elegant is actually a mod for iptables that adds time fields - but that requires recompilation and is really a long way out of my depth atow. I'm going to get back into Linux next term, play with Gentoo I think - since I have a Gentoo using nocturnal flatmate who'll provide me with tech support to get it working :)

Thank you for the feedback on this - it's much appreciated. I think cron jobs are going to be the best bet. The router gets switched off when I go to bed, but never gets restarted in between, so while I'll put a "daytime" cron in for completeness, hopefully the only one I'll need is the restrictions.
Alternatively, have a rule added that blocks ALL traffic from his internal ip only. Job done, doesn't matter then if the router is rebooted etc etc as only his IP will be blocked.
 

Shovel

Part of the furniture
Joined
Dec 22, 2003
Messages
1,350
Deebs said:
Alternatively, have a rule added that blocks ALL traffic from his internal ip only. Job done, doesn't matter then if the router is rebooted etc etc as only his IP will be blocked.
Thank you :) I understand the principal, but not how that actually works in practice though :(

If I have a rule that blocks all his IP traffic (his IP is fixed by the way), then that blocks him - excellent. But how does he then gets access at the permitted times?
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,075,707
Shovel said:
Thank you :) I understand the principal, but not how that actually works in practice though :(

If I have a rule that blocks all his IP traffic (his IP is fixed by the way), then that blocks him - excellent. But how does he then gets access at the permitted times?
Take the rule out, use a cron job as detailed before but instead of fucking about with rules for certain apps just block his IP completely during the "night hours" etc.
 

Shovel

Part of the furniture
Joined
Dec 22, 2003
Messages
1,350
Ahhhh, I'm with you now :D

I think that's what I'll do :) Although the MSN point is interesting to note, I can't trust them not to find a new IM client while I'm away at uni ;)

Thank you :)
 

mookie

Can't get enough of FH
Joined
Dec 23, 2003
Messages
251
whilst we're on the subject of brothers and surfing habits, reccomendations for content filtering software that is transparent? the content filtering on my router is shit, preferably something that allows me to add keywords to block too.
 

Shovel

Part of the furniture
Joined
Dec 22, 2003
Messages
1,350
Is it a customisable router (e.g. Linux box) or a black box with a brand name on the front?

If it's the former, there's various (regularly updated) porn filter lists you could automatically download and include as a block list in Squid. I'll be doing that myself when I implement the above :) You can also censor keywords from URLs - so you can block "willy", which will block "wijwillys.com" and "bigwilly.net" (you get the idea...).
What squid wont do is censor content - e.g. it wont read the HTML and censor Bodhi for you before displaying it on the page. I don't know if there's a plug in for it that will though - there's a little bell ringing in my head that says there might be...
 

mookie

Can't get enough of FH
Joined
Dec 23, 2003
Messages
251
its a netgear mr314, and its a big hunk'o'shit. i suppose i should google before i ask these type of questions :)
 

Shovel

Part of the furniture
Joined
Dec 22, 2003
Messages
1,350
Nah, you'd destroy Xane's reason for living if you google
 

Users who are viewing this thread

Top Bottom