LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Ubuntu iptables - restricting access assistance (http://www.linuxquestions.org/questions/linux-networking-3/ubuntu-iptables-restricting-access-assistance-782186/)

qprfact 01-14-2010 08:25 AM

Ubuntu iptables - restricting access assistance
 
I have a small home network with a router to the outside world and an ubuntu server through which traffic passes first.

My ISP limits my download usage during the day, which traditionally has not been an issue, but now the children come in from school, boot up the internet and up goes my usage!

Ideally I would like to be able to restrict them to IM and maybe certain specified URLs (I think the latter probably needs to use Squid though?). Once the download limits are lifted, I would like my iptables to allow HTTP, etc, but pretty much block most other things.

If it is possible, traffic shaping to allow prioritisation would be ideal too.

I have two sets of iptables currently to approach this issue, with a cron job that runs to swap between one and the other.

My understanding is that Chains run in order, so if rule A says allow x, and rule B says drop all, then X should still be allowed. However, try as I may, this is not what happens in practice. I have even tried changing the overall order from ALLOW to DROP in FORWARD and then approach from the other angle. That didn't work either.

*IS* it actually possible to block all but http / https and IM?

These are my rules:

Code:

# Generated by iptables-save v1.4.4 on Sat Jan  9 19:15:49 2010
*nat
:PREROUTING ACCEPT [583:45175]
:POSTROUTING ACCEPT [694:60887]
:OUTPUT ACCEPT [143:18642]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Jan  9 19:15:49 2010
# Generated by iptables-save v1.4.4 on Sat Jan  9 19:15:49 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [436:28062]
:OUTPUT ACCEPT [223:27990]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.5/32 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -j ACCEPT
-A INPUT -s 192.168.2.1/32 -p tcp -m tcp --dport 60344 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -p tcp -m tcp --dport 49744 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 139,145 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -j DROP

-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.2.10/32 -p udp -m multiport --dports 28910,29900,29901,29920,443 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A FORWARD -s 192.168.2.5/32 -j ACCEPT
-A FORWARD -s 192.168.2.3/32 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 1863 -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 80 -m comment --comment "http apache" -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 443 -m comment --comment "https apache" -j ACCEPT
-A FORWARD -j DROP

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Jan  9 19:15:49 2010

Hopefully that is enough detail? Would be great if someone could assist!

nimnull22 01-14-2010 12:31 PM

Quote:

Originally Posted by qprfact (Post 3826326)
...
Once the download limits are lifted, I would like my iptables to allow HTTP, etc, but pretty much block most other things.
...

Iptables by it self can't do it, but you can change the rules when will be necessary.

GrapefruiTgirl 01-14-2010 12:54 PM

Why could iptables by itself not do this? iptables has provisions for time-of-day and day-of-week allowances/blockages.

There is more than one issue in this thread: A) the time-of-day restrictions, and B) traffic shaping; so it might be a decent idea to deal with one issue at a time.

I've never used the iptables time-of-day/day-of-week functionality, but if I have some time, I'd be happy to play around with it.

Vague, crappy Pseudo-code:

1) if time_now="restricted download time" then drop everything but IM; allow IM; drop everything else.
2) if time_now="not restricted" then allow HTTP and whatever you want.

I haven't looked at the iptables script in the OP post, but if you're interested in this time-of-day matching (provided it is in fact something you could use to achieve your goal) then begin with the iptables man page and some of the many very good iptables tutorials online.

It is certainly possible to drop everything but HTTP (80), HTTPS (443), and IM, however for the IM, you'll have to know what ports and/or protocols the IM chatter uses, so you can match for that.

Sasha

nimnull22 01-14-2010 01:06 PM

Quote:

Originally Posted by GrapefruiTgirl (Post 3826595)
Why could iptables by itself not do this? iptables has provisions for time-of-day and day-of-week allowances/blockages.

Can you please read again what OP wants: "Once the download limits are lifted,..."

GrapefruiTgirl 01-14-2010 01:10 PM

Quote:

Originally Posted by nimnull22 (Post 3826606)
Can you please read again what OP wants: "Once the download limits are lifted,..."

Ok, done. What am I missing?

nimnull22 01-14-2010 01:14 PM

He needs a simple script, which will parse "ifconfig" output and calculate amount of downloaded data for the day period, then change rules in iptables.

I think this is easiest way.

GrapefruiTgirl 01-14-2010 01:18 PM

OHHHHH :redface:

I did not get that from reading. Thank you nimnull, I understand now what you're saying.

I thought the OP wanted to block all potential for downloading during the "restricted" period, but then after a certain TOD when the "restriction" got lifted, allow freely downloading.

Now, if I understand right, the OP wants to essentially "shut off the tap" when the limit has been reached for the day.

Gotcha, thanks.
Sasha

qprfact 01-14-2010 05:20 PM

Thanks for all your responses!

Sorry, my fault for being a bit ambiguous in my original post - when I referred to "once the download limits are lifted" I WAS talking about time of day - 6pm in my instance - as after that time the limits no longer apply (i.e. the limits are 9am - 6pm Mon - Fri)

Therefore I have no problems with two sets of rules - one for 9-6, the other for rest of the time - but the former needs to be very restricted in what can be done to avoid the limits being breached - hence the suggestion of allowing IM and maybe a couple of URLs. Outside of those hours, HTTP/S can be "opened up", but ideally with the network still kept as secure as possible.

The traffic shaping aspect comes into play during those hours, purely so that if a member of the household is downloading or streaming they are not "hogging the connection" to the detriment of all others.

The approach that GrapefruiTgirl suggests in the "vague, crappy Pseudo Code" (it's not!) is exactly what I am after with my first issue. The trouble is, my rules, which I thought would achieve this outcome, don't! Instead they drop everything, despite the fact that I believe I have written them in such a way that IM and HTTP/S would work. Trouble is, I've read many tutorials now, and none of them seem to cover this particular issue.

Hope this clarifies things a bit - sorry if I wasn't exact enough initially, but it sounds like you understand what I want to achieve, so here's hoping you can assist.

Thanks in advance!

nimnull22 01-15-2010 10:32 AM

Ok, as you have managed to confuse many people here already, please explain what exactly you want to work:
1. Since 9-6 (I assume it 9 a.m. - 6 p.m.)
2. The rest.

Thanks

qprfact 01-15-2010 11:06 AM

Sorry, thought that had clarified things!

Yes, it is 9am - 6pm, Mon - Fri

Outside of those hours, I want http, IM, etc, all allowed, ideally with traffic shaping. Anything NOT specified is to DROP / REJECT

Inside those hours, I want IM to be allowed, and http to a small number of URLs (such as Facebook). Traffic shaping not required then. As before, anything not specified is to DROP / REJECT

Does that help?

Thanks!

nimnull22 01-15-2010 12:11 PM

First, you have to enable forwarding by
Code:

echo "1" > /proc/sys/net/ipv4/ip_forward
Then, delete everything from FORWARD chain and add:
-A FORWARD -s 192.168.2.10/32 -p tcp --dports 80 -j ACCEPT
-A FORWARD -d 192.168.2.10/32 -p tcp --dports 80 -j ACCEPT
-A FORWARD -j DROP
Those for 9am - 6pm, Mon - Fri

For "Outside of those hours" leave FORWARD empty, as your default rule is ACCEPT.

Try this, if http will work from computer with IP=192.168.2.10, we will add other rules.
Use cron to change them.

qprfact 01-15-2010 03:26 PM

Thanks very much! I tried
Code:

cat /proc/sys/net/ipv4/ip_forward
first and got a value of 1, but nonetheless I used the command you said and then the lines of code in the iptables - I had to change from dports to dport, but then the code was accepted on machine 192.168.2.4 (the easiest one for me to test on)

And .....

Neither HTTP or IM are working.

Have I done something wrong? I was really thinking this was working as well!

nimnull22 01-15-2010 03:40 PM

Quote:

Originally Posted by qprfact (Post 3827954)
Thanks very much! I tried
Code:

cat /proc/sys/net/ipv4/ip_forward
first and got a value of 1, but nonetheless I used the command you said and then the lines of code in the iptables - I had to change from dports to dport, but then the code was accepted on machine 192.168.2.4 (the easiest one for me to test on)

And .....

Neither HTTP or IM are working.

Have I done something wrong? I was really thinking this was working as well!

Those rules for IP=192.168.2.10/32, packets from other IP will be dropped, you have to try from that computer or tell us what ethernet card sees to LAN: eth1 or eth2 or eth3?

qprfact 01-15-2010 03:58 PM

Yes, I was using 192.168.2.4 and checking access from that IP only.

You say about ethernet card - is this on the server or on 192.168.2.4 and do I find this via ifconfig?

qprfact 01-15-2010 04:02 PM

This is what ifconfig on 192.168.2.4 says:

Quote:

eth0 Link encap:Ethernet HWaddr 00:18:8b:77:32:bf
inet addr:192.168.2.4 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::218:8bff:fe77:32bf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3310217 errors:0 dropped:0 overruns:0 frame:0
TX packets:2268940 errors:0 dropped:0 overruns:0 carrier:0
collisions:595145 txqueuelen:1000
RX bytes:2842754434 (2.8 GB) TX bytes:376712060 (376.7 MB)
Interrupt:19

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8025 errors:0 dropped:0 overruns:0 frame:0
TX packets:8025 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:504553 (504.5 KB) TX bytes:504553 (504.5 KB


All times are GMT -5. The time now is 09:18 PM.