Lonnie,
I think I would want to insert (-I LAN_INET_FORWARD_CHAIN) rather than
append the rule? I think I would want curfew to trigger before any other
rule. Currently I am controlling access to external DNS servers on this
chain (so that an internal client cannot bypass my OpenDNS controls) but I
needed to add a couple of exceptions (e.g. to let kindle devices access
amazon.com's DNS as those devices were not configurable). But there could
be other rules that explicitly grant access and I would that a curfew on a
specific device would trigger first. Of course I suppose there could be a
scenario where I would want to grant the curfew'd device access to a
specific service even during curfew hours.
This would be an interesting AIF plugin, input would be a list of devices
and curfew hours for each. If you go down that path then would it be
possible to identify device by name rather than mac address... for example
my DHCP leases includes...
192.168.17.20920:c9:d0:5b:50:d8Davids-iPhone-52013-05-03 06:42:25 Apple Inc
Would there be a way for a plugin to find the mac address from
"Davids-iPhone-5"
Anyway, for now I am trying this and will let you know in a few days if it
works !!
iptables -I LAN_INET_FORWARD_CHAIN -m mac --mac-source 68:96:7b:03:62:ce -m
time --timestart 21:00 --timestop 06:00 --kerneltz -j REJECT
Chain LAN_INET_FORWARD_CHAIN (1 references)
target prot opt source destination
REJECT all -- anywhere anywhere MAC
68:96:7B:03:62:CE TIME from 21:00:00 to 06:00:00 reject-with
icmp-port-unreachable
ACCEPT tcp -- 192.168.17.0/24 165-149.amazon.com tcp
dpt:domain
ACCEPT tcp -- 192.168.17.7 anywhere tcp
dpt:domain
ACCEPT udp -- 192.168.17.0/24 165-149.amazon.com udp
dpt:domain
ACCEPT udp -- 192.168.17.7 anywhere udp
dpt:domain
ACCEPT icmp -- anywhere anywhere icmp
echo-request limit: avg 20/sec burst 100
DROP icmp -- anywhere anywhere icmp
echo-request
ACCEPT all -- anywhere anywhere
On Thu, May 2, 2013 at 9:32 AM, Lonnie Abelbeck
<[email protected]>wrote:
> +1 to what James suggested.
>
> A couple more tips...
>
> Use the --kerneltz option to use local timezone, here are the iptables
> time options:
> --
> time match options:
> --datestart time Start and stop time, to be given in ISO 8601
> --datestop time (YYYY[-MM[-DD[Thh[:mm[:ss]]]]])
> --timestart time Start and stop daytime (hh:mm[:ss])
> --timestop time (between 00:00:00 and 23:59:59)
> [!] --monthdays value List of days on which to match, separated by comma
> (Possible days: 1 to 31; defaults to all)
> [!] --weekdays value List of weekdays on which to match, sep. by comma
> (Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1
> to 7
> Defaults to all weekdays.)
> --kerneltz Work with the kernel timezone instead of UTC
> --
> I seem to recall a "--timestart 21:00 --timestop 10:00" did not work and
> you needed two rules, one ending at 23:59:59, then one starting at
> 00:00:00, but a quick test suggests this may now work with our current
> iptables v1.4.17, need to test.
>
> In this case you may want to use "-j REJECT" instead of "-j DROP" since it
> is a known internal device.
>
> With AIF in the custom-rules, if you use "iptables -A
> LAN_INET_FORWARD_CHAIN ..." it will block only outgoing internet traffic
> (which is probably what you want), though using "iptables -A FORWARD_CHAIN
> ..." will block any forward.
>
> This would be a good addition to AIF as a plugin, coming up with a good
> general syntax for the time code has stopped me so far.
>
> Lonnie
>
>
> On May 1, 2013, at 11:14 PM, James Babiak wrote:
>
> > David,
> >
> > Interesting idea. I never tried it myself, but I just played around with
> it and confirmed that it would work. The time has to be converted to UTC,
> so based on your scenario, and assuming you live in the ET timezone
> (currently -4 UTC), you could do something like this:
> >
> > iptables -I FORWARD -m mac --mac-source AA:BB:CC:DD:EE:FF -m time
> --timestart 01:00 --timestop 10:00 -j DROP
> >
> > Obviously you would need to change the timestart/stop for a different
> timezone and use the appropriate MAC address. And you could stack rules for
> additional MACs. I don't believe you can use wildcards for MAC ranges,
> which might have been a good solution if all the iDevices shared a common
> OUI, so you would need a rule for each one. The above rule would block
> access to the Internet, but still allow internal network access (which
> wouldn't go through the router anyway).
> >
> > I imagine the best way to implement this in Astlinux would be to insert
> the rules into /mnt/kd/arno-iptables-firewall/custom-rules
> >
> > --James
> >
> > On 05/01/2013 09:32 PM, David Kerr wrote:
> >> Has anyone used iptables to block internet access for a specified
> device between specified times. It looks like iptables has a capability to
> match against time, but before I experiment I thought I would ask if anyone
> has the necessary commands figured out already.
> >>
> >> Basically I want to impose a curfew on internet access for the kids
> iDevices, say between 9pm and 6am every day. I could identify the device
> by mac address.
> >>
> >> Any suggestion on how to go about this in AstLinux?
> >>
> >> Thanks,
> >> David
>
>
>
> ------------------------------------------------------------------------------
> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
