+1 to what James suggested.
A couple more tips...
Use the --kerneltz option to use local timezone, here are the iptables time
options:
--
time match options:
--datestart time Start and stop time, to be given in ISO 8601
--datestop time (YYYY[-MM[-DD[Thh[:mm[:ss]]]]])
--timestart time Start and stop daytime (hh:mm[:ss])
--timestop time (between 00:00:00 and 23:59:59)
[!] --monthdays value List of days on which to match, separated by comma
(Possible days: 1 to 31; defaults to all)
[!] --weekdays value List of weekdays on which to match, sep. by comma
(Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7
Defaults to all weekdays.)
--kerneltz Work with the kernel timezone instead of UTC
--
I seem to recall a "--timestart 21:00 --timestop 10:00" did not work and you
needed two rules, one ending at 23:59:59, then one starting at 00:00:00, but a
quick test suggests this may now work with our current iptables v1.4.17, need
to test.
In this case you may want to use "-j REJECT" instead of "-j DROP" since it is a
known internal device.
With AIF in the custom-rules, if you use "iptables -A LAN_INET_FORWARD_CHAIN
..." it will block only outgoing internet traffic (which is probably what you
want), though using "iptables -A FORWARD_CHAIN ..." will block any forward.
This would be a good addition to AIF as a plugin, coming up with a good general
syntax for the time code has stopped me so far.
Lonnie
On May 1, 2013, at 11:14 PM, James Babiak wrote:
> David,
>
> Interesting idea. I never tried it myself, but I just played around with it
> and confirmed that it would work. The time has to be converted to UTC, so
> based on your scenario, and assuming you live in the ET timezone (currently
> -4 UTC), you could do something like this:
>
> iptables -I FORWARD -m mac --mac-source AA:BB:CC:DD:EE:FF -m time --timestart
> 01:00 --timestop 10:00 -j DROP
>
> Obviously you would need to change the timestart/stop for a different
> timezone and use the appropriate MAC address. And you could stack rules for
> additional MACs. I don't believe you can use wildcards for MAC ranges, which
> might have been a good solution if all the iDevices shared a common OUI, so
> you would need a rule for each one. The above rule would block access to the
> Internet, but still allow internal network access (which wouldn't go through
> the router anyway).
>
> I imagine the best way to implement this in Astlinux would be to insert the
> rules into /mnt/kd/arno-iptables-firewall/custom-rules
>
> --James
>
> On 05/01/2013 09:32 PM, David Kerr wrote:
>> Has anyone used iptables to block internet access for a specified device
>> between specified times. It looks like iptables has a capability to match
>> against time, but before I experiment I thought I would ask if anyone has
>> the necessary commands figured out already.
>>
>> Basically I want to impose a curfew on internet access for the kids
>> iDevices, say between 9pm and 6am every day. I could identify the device by
>> mac address.
>>
>> Any suggestion on how to go about this in AstLinux?
>>
>> Thanks,
>> David
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
