Graham,
So you want to define who is allowed, not who is disallowed. One method would
be to allow the accepted hosts before denying all the rest.
I would use the...
Network tab -> DNS Forwarder & DHCP Server: { Configure DNS Hosts }
to map the MAC address to IP address via DHCP, so all the 'good-guy' IPs are
predictable and static.
To be cleaver carve out a CIDR that are acceptable, such as:
192.168.1.64/27 -> 192.168.1.64 - 192.168.1.95
And place by MAC address and DHCP the 'good guys' in that static range to make
it simpler to specify. Non-static DHCP would go in the default 192.168.1.100 -
192.168.1.220 which we assume are the 'bad-guys' unless overridden.
Notice: untested code below...
-- /mnt/kd/arno-iptables-firewall/custom-rules --
# Put any custom (iptables) rules here down below:
##################################################
unset IFS
for shost in 192.168.1.10 192.168.1.11 192.168.1.64/27; do
echo "[CUSTOM RULE] Allow LAN->EXT for '$shost' traffic from 7:00 pm to 7:00
am"
iptables -A LAN_INET_FORWARD_CHAIN -s $shost -j ACCEPT
done
echo "[CUSTOM RULE] Deny LAN->EXT for the remaining traffic from 7:00 pm to
7:00 am"
iptables -A LAN_INET_FORWARD_CHAIN -s 0/0 -m time \
--timestart 00:00:00 --timestop 07:00:00 \
--weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz \
-j DROP
iptables -A LAN_INET_FORWARD_CHAIN -s 0/0 -m time \
--timestart 19:00:00 --timestop 23:59:59 \
--weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz \
-j DROP
--
Lonnie
BTW, using the "mac-address-filter" plugin seems like a lot more work and block
at the LAN interface not the EXT interface.
On Sep 14, 2012, at 5:21 PM, Graham S. Jarvis wrote:
> Thanks Lonnie,
>
> that's a nice way of blocking _all_ the traffic.
>
> But I lied - I don't want to stop _everybody_ getting to the Internet, just
> those that I say can't. And some of those that I want to allow are in the
> same
> DHCP block as those that I want to block.
> And because this is DHCP I'm never actually sure which one is which.
>
> But,
> is there any way of doing this on MAC addresses?
> I know these and they don't change.
> (is this --mac-source $macaddress
> instead of -s $host ?)
> If so I just have to
> for $macaddress in `cat /etc/arno-iptables-firewall/mac-addresses`
> and I can use the same file as the mac-address-filter.
> (I'll need a bit more "cut" logic to take care of the format :
> ma:c_:ad:dr:es:s_(space)ip_.add.res.sxx(space)#some comment string
>
>
> How does that sound?
> Can anyone do the script?
>
> -Graham-
>
>
> Lonnie Abelbeck wrote on 14/09/12 17:54:
>> Yes, an AIF plugin would be the way to do this.
>>
>> An alternative quick and dirty method would be to add something like this to
>> the AIF custom-rules script:
>>
>> -- /mnt/kd/arno-iptables-firewall/custom-rules --
>> # Put any custom (iptables) rules here down below:
>> ##################################################
>>
>> unset IFS
>> for shost in 0/0; do
>> echo "[CUSTOM RULE] Deny LAN->EXT for '$shost' traffic from 7:00 pm to
>> 7:00 am"
>> iptables -A LAN_INET_FORWARD_CHAIN -s $shost -m time \
>> --timestart 00:00:00 --timestop 07:00:00 \
>> --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz \
>> -j DROP
>> iptables -A LAN_INET_FORWARD_CHAIN -s $shost -m time \
>> --timestart 19:00:00 --timestop 23:59:59 \
>> --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz \
>> -j DROP
>> done
>> --
>> This would block *all* traffic from any LAN interface to the outside world
>> for the times specified.
>>
>> Replace 0/0 with a space separated list of LAN IP's or CIDR's for more
>> refinement.
>>
>> Be sure to test, have fun. :-)
>>
>> Lonnie
>>
>>
>>
>> On Sep 14, 2012, at 10:06 AM, David Kerr wrote:
>>
>>> Sounds like a great idea for a firewall plugin. Doesn't the adaptive ban
>>> firewall run a script that wakes up every 90 seconds or so and check for
>>> bad things? You could create a plugin script like that wakes up every 5
>>> minutes say, checks for rules to add or remove, does it thing and goes back
>>> to sleep. GUI interface could be limited to editing a firewall plugin
>>> conf file. Hardest part is probably designing a syntax for the conf file.
>>>
>>> David
>>>
>>>
>>> On Fri, Sep 14, 2012 at 10:32 AM, Graham S. Jarvis <gsjar...@pt.lu> wrote:
>>> Hello All,
>>>
>>> I've been working on this for a while and have a very crude system working
>>> with
>>> cron job scripts creating various dnsmasq.static files and restarting
>>> dnsmasq,
>>> but I think there has to be a better way and one that can be made part of
>>> the GUI.
>>>
>>> There was some discussion (Lonnie) about trying to get something built into
>>> Arno's firewall but I don't think it went far....
>>>
>>> What's needed is an easy way to stop certain PC's on the network getting
>>> out to
>>> the Internet at certain times of the day/week/month but to still allow them
>>> access to local storage/print services.
>>>
>>> All ideas gratefully received!
>>>
>>> -Graham-
>>>
>>> ------------------------------------------------------------------------------
>>> Got visibility?
>>> Most devs has no idea what their production app looks like.
>>> Find out how fast your code is with AppDynamics Lite.
>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to
>>> pay...@krisk.org.
>>>
>>> ------------------------------------------------------------------------------
>>> Got visibility?
>>> Most devs has no idea what their production app looks like.
>>> Find out how fast your code is with AppDynamics Lite.
>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to
>>> pay...@krisk.org.
>>
>>
>> ------------------------------------------------------------------------------
>> Got visibility?
>> Most devs has no idea what their production app looks like.
>> Find out how fast your code is with AppDynamics Lite.
>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> pay...@krisk.org.
>>
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
>
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
