iptables question to cut the network access

**Harmony60** · 13-01-2010

I have started constructing sites on iptables but my "simple" problem does not find the simple answer frankly expected among the multitude of examples found. I explain, in summary, my network is composed as follows

Red: 192.168.0.x

Green:
- 10.0.20.x = @ ip in dhcp dynamic
- 10.0.21.x = @ ip fixes
- Ipcop = 10.0.20.1

I would like to totally cut the access network IP addresses in dhcp and not just via http protocol (which I'm currently using squidguard of franck78) evening between 20h and 9 am.

Not at all an expert in network and much less iptables, I know, before any manipulation break if next march

Cutting access to a specific address to 20h
1 - add the cron to 20h

Code:

iptables -A INPUT -p all -s 10.0.20.159 -j DROP
iptables -A OUTPUT -p all -s 10.0.20.159 -j DROP

2 - add in the cron at 9am the same command with the option -D

Code:

iptables -D INPUT -p all -s 10.0.20.159 -j DROP
iptables -D OUTPUT -p all -s 10.0.20.159 -j DROP

if I want to completely ban access to all addresses in dhcp except my ipcop firewall, handling walk next to?
1 - add the cron at 20h

Code:

iptables -A INPUT -p all -s 10.0.20.1/8 -j DROP
iptables -A OUTPUT -p all -s 10.0.20.1/8 -j DROP
iptables -A INPUT -p all -s 10.0.20.1 -j ACCEPT
iptables -A OUTPUT -p all -s 10.0.20.1 -j ACCEPT

2 - add in the cron at 9am the same commands with the option -D

**Aleksandra** · 13-01-2010

Time management in a filter browser always amazes me:

- Why certain hours to allow what is forbidden to others?
- Sites of balls they should not be banned completely!
- What happens when it goes 2x eight?
- Why it has difficulty speaking in adult users?
- Why a user feels hurt that it alleges to browse sites balls while now accuses him of not being available?
- Displaying the list of 100 most visited sites do not it suffice to consider certain?
- Why does one have so much time on sites characters at work while we all have ADSL at home?

One can imagine based on -A / -D via cron (except -D runs on no rows if I'm wrong?). (Perhaps it would be better to use iptables-save/iptables-restore).

There are (many) more simple SquidGuard manages the time!

Starting from the conf file generated by the (excellent) tool Franck78, we should be able to add time management (even after any config again: a few extra lines at the beginning and a change of lines at the end ...) .

visit http://www.squidguard.org/Doc/extended.html and look at "Blocking based on times" section

**Connect_Me** · 13-01-2010

I think he wants to get something like "block MSN except from 17h to 19h", what I did I feel in my IPCop for an IP. It gives this:

In cron:

Code:

0 17 * * * /etc/rc.d/rc.firewall.local msn
0 19 * * * /etc/rc.d/rc.firewall.local nomsn

and in rc.firewall.local:

Code:

nomsn()
{
    $IPTABLES -A CUSTOMFORWARD -p tcp -s 10.0.0.10 -m tcp --dport 1863 -j DROP # Port MSN
    $IPTABLES -A CUSTOMFORWARD -p tcp -s 10.0.0.10 -m tcp -d 65.52.0.0/16 -j DROP # Range Address MSN
    $IPTABLES -A CUSTOMFORWARD -p tcp -s 10.0.0.10 -m tcp -d 65.53.0.0/16 -j DROP # Range Address MSN
    $IPTABLES -A CUSTOMFORWARD -p tcp -s 10.0.0.10 -m tcp -d 65.54.0.0/16 -j DROP # Range Address MSN
    $IPTABLES -A CUSTOMFORWARD -p tcp -s 10.0.0.10 -m tcp -d 65.55.0.0/16 -j DROP # Range Address MSN
}

msn()
{
    $IPTABLES -D CUSTOMFORWARD -p tcp -s 10.0.0.10 -m tcp -d 65.55.0.0/16 -j DROP # Range Address MSN
    $IPTABLES -D CUSTOMFORWARD -p tcp -s 10.0.0.10 -m tcp -d 65.54.0.0/16 -j DROP # Range Address MSN
    $IPTABLES -D CUSTOMFORWARD -p tcp -s 10.0.0.10 -m tcp -d 65.53.0.0/16 -j DROP # Range Address MSN
    $IPTABLES -D CUSTOMFORWARD -p tcp -s 10.0.0.10 -m tcp -d 65.52.0.0/16 -j DROP # Range Address MSN
    $IPTABLES -D CUSTOMFORWARD -p tcp -s 10.0.0.10 -m tcp --dport 1863 -j DROP # Port MSN
}


IPTABLES="/sbin/iptables "       ## The program control

# How do we call.
case "$1" in
  start)
        iptables_init   #calculate some useful variables
        iptables_start  #startup
        nomsn           #blocks MSN...

        ;;
  stop)
        $IPTABLES -F SRC   #Cleaning
   #$IPTABLES -X SRC
   ;;
  msn)
        msn
        ;;
  nomsn)
        nomsn
        ;;
  *)
        echo "This script is called by rc.firewall!"
   ;;
esac

**Aleksandra** · 13-01-2010

It is true that I tried once Ipcop and I am not familiar with the tool you have developed!

But since -D is not working as imagined by Harmony, your proposal seems to me excellent, the firewall script is restarted from the beginning with or without suitable lines (in a bash function).

It appears that efficient!

**Harmony60** · 13-01-2010

Originally Posted by Aleksandra

Time management in a filter browser always amazes me:

- Why certain hours to allow what is forbidden to others?
- Sites of balls they should not be banned completely!
- What happens when it goes 2x eight?
- Why it has difficulty speaking in adult users?
- Why a user feels hurt that it alleges to browse sites balls while now accuses him of not being available?
- Displaying the list of 100 most visited sites do not it suffice to consider certain?
- Why does one have so much time on sites characters at work while we all have ADSL at home?

One can imagine based on -A / -D via cron (except -D runs on no rows if I'm wrong?). (Perhaps it would be better to use iptables-save/iptables-restore).

There are (many) more simple SquidGuard manages the time!

Hello, regarding my problem, it is a LAN to my home and not a corporate network or university

Moreover, my concern is not really with the times to access the web because, as mentioned, I use the franck addon that works wonderfully for hours access and filtering through the black lists.

My problem is that my brother a time logged in: msn, its gaming systems and various other applications, despite the hours of access continues to be used after the allotted time limit if it has connected before Web clipping.

I would like to cut him outright net access (not web) that goes through my ipcop.

So I started looking iptables which basically should be able to do but after my long readings howto and other guides, I am reassured that geek!

**Connect_Me** · 13-01-2010

Code:

$IPTABLES -A CUSTOMFORWARD -p tcp -s 10.0.0.10 -j DROP #

with it, it will ping the Internet at their leisure. But it's probably the tire very quickly .....

(assuming that IP is not changed)

Suitable rule (-D) to restore the situation.