Thanks Lonnie,
that's a nice way of blocking _all_ the traffic.
But I lied - I don't want to stop _everybody_ getting to the Internet, just
those that I say can't. And some of those that I want to allow are in the same
DHCP block as those that I want to block.
And because this is DHCP I'm never actually sure which one is which.
But,
is there any way of doing this on MAC addresses?
I know these and they don't change.
(is this --mac-source $macaddress
instead of -s $host ?)
If so I just have to
for $macaddress in `cat /etc/arno-iptables-firewall/mac-addresses`
and I can use the same file as the mac-address-filter.
(I'll need a bit more "cut" logic to take care of the format :
ma:c_:ad:dr:es:s_(space)ip_.add.res.sxx(space)#some comment string
How does that sound?
Can anyone do the script?
-Graham-
Lonnie Abelbeck wrote on 14/09/12 17:54:
> Yes, an AIF plugin would be the way to do this.
>
> An alternative quick and dirty method would be to add something like this to
> the AIF custom-rules script:
>
> -- /mnt/kd/arno-iptables-firewall/custom-rules --
> # Put any custom (iptables) rules here down below:
> ##################################################
>
> unset IFS
> for shost in 0/0; do
> echo "[CUSTOM RULE] Deny LAN->EXT for '$shost' traffic from 7:00 pm to
> 7:00 am"
> iptables -A LAN_INET_FORWARD_CHAIN -s $shost -m time \
> --timestart 00:00:00 --timestop 07:00:00 \
> --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz \
> -j DROP
> iptables -A LAN_INET_FORWARD_CHAIN -s $shost -m time \
> --timestart 19:00:00 --timestop 23:59:59 \
> --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz \
> -j DROP
> done
> --
> This would block *all* traffic from any LAN interface to the outside world
> for the times specified.
>
> Replace 0/0 with a space separated list of LAN IP's or CIDR's for more
> refinement.
>
> Be sure to test, have fun. :-)
>
> Lonnie
>
>
>
> On Sep 14, 2012, at 10:06 AM, David Kerr wrote:
>
>> Sounds like a great idea for a firewall plugin. Doesn't the adaptive ban
>> firewall run a script that wakes up every 90 seconds or so and check for bad
>> things? You could create a plugin script like that wakes up every 5 minutes
>> say, checks for rules to add or remove, does it thing and goes back to
>> sleep. GUI interface could be limited to editing a firewall plugin conf
>> file. Hardest part is probably designing a syntax for the conf file.
>>
>> David
>>
>>
>> On Fri, Sep 14, 2012 at 10:32 AM, Graham S. Jarvis <[email protected]> wrote:
>> Hello All,
>>
>> I've been working on this for a while and have a very crude system working
>> with
>> cron job scripts creating various dnsmasq.static files and restarting
>> dnsmasq,
>> but I think there has to be a better way and one that can be made part of
>> the GUI.
>>
>> There was some discussion (Lonnie) about trying to get something built into
>> Arno's firewall but I don't think it went far....
>>
>> What's needed is an easy way to stop certain PC's on the network getting out
>> to
>> the Internet at certain times of the day/week/month but to still allow them
>> access to local storage/print services.
>>
>> All ideas gratefully received!
>>
>> -Graham-
>>
>> ------------------------------------------------------------------------------
>> Got visibility?
>> Most devs has no idea what their production app looks like.
>> Find out how fast your code is with AppDynamics Lite.
>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> _______________________________________________
>> Astlinux-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> [email protected].
>>
>> ------------------------------------------------------------------------------
>> Got visibility?
>> Most devs has no idea what their production app looks like.
>> Find out how fast your code is with AppDynamics Lite.
>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________
>> Astlinux-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> [email protected].
>
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
