LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-14-2010, 08:25 AM   #1
qprfact
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Rep: Reputation: 0
Ubuntu iptables - restricting access assistance


I have a small home network with a router to the outside world and an ubuntu server through which traffic passes first.

My ISP limits my download usage during the day, which traditionally has not been an issue, but now the children come in from school, boot up the internet and up goes my usage!

Ideally I would like to be able to restrict them to IM and maybe certain specified URLs (I think the latter probably needs to use Squid though?). Once the download limits are lifted, I would like my iptables to allow HTTP, etc, but pretty much block most other things.

If it is possible, traffic shaping to allow prioritisation would be ideal too.

I have two sets of iptables currently to approach this issue, with a cron job that runs to swap between one and the other.

My understanding is that Chains run in order, so if rule A says allow x, and rule B says drop all, then X should still be allowed. However, try as I may, this is not what happens in practice. I have even tried changing the overall order from ALLOW to DROP in FORWARD and then approach from the other angle. That didn't work either.

*IS* it actually possible to block all but http / https and IM?

These are my rules:

Code:
# Generated by iptables-save v1.4.4 on Sat Jan  9 19:15:49 2010
*nat
:PREROUTING ACCEPT [583:45175]
:POSTROUTING ACCEPT [694:60887]
:OUTPUT ACCEPT [143:18642]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE 
COMMIT
# Completed on Sat Jan  9 19:15:49 2010
# Generated by iptables-save v1.4.4 on Sat Jan  9 19:15:49 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [436:28062]
:OUTPUT ACCEPT [223:27990]
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT 
-A INPUT -p udp -m udp --sport 53 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -s 192.168.2.5/32 -j ACCEPT 
-A INPUT -s 192.168.2.3/32 -j ACCEPT 
-A INPUT -s 192.168.2.2/32 -j ACCEPT 
-A INPUT -s 192.168.2.1/32 -p tcp -m tcp --dport 60344 -j ACCEPT 
-A INPUT -s 192.168.2.3/32 -p tcp -m tcp --dport 49744 -j ACCEPT 
-A INPUT -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT 
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 139,145 -j ACCEPT 
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT 
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 5900,5901 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT 
-A INPUT -j DROP 

-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT 
-A FORWARD -s 192.168.2.10/32 -p udp -m multiport --dports 28910,29900,29901,29920,443 -j ACCEPT 
-A FORWARD -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT 
-A FORWARD -s 192.168.2.5/32 -j ACCEPT 
-A FORWARD -s 192.168.2.3/32 -j ACCEPT 
-A FORWARD -s 192.168.2.2/32 -j ACCEPT 
-A FORWARD -p tcp -m multiport --dports 1863 -j ACCEPT 
-A FORWARD -p tcp -m multiport --dports 80 -m comment --comment "http apache" -j ACCEPT 
-A FORWARD -p tcp -m multiport --dports 443 -m comment --comment "https apache" -j ACCEPT 
-A FORWARD -j DROP 

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
COMMIT
# Completed on Sat Jan  9 19:15:49 2010
Hopefully that is enough detail? Would be great if someone could assist!
 
Old 01-14-2010, 12:31 PM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by qprfact View Post
...
Once the download limits are lifted, I would like my iptables to allow HTTP, etc, but pretty much block most other things.
...
Iptables by it self can't do it, but you can change the rules when will be necessary.
 
Old 01-14-2010, 12:54 PM   #3
GrapefruiTgirl
Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
Why could iptables by itself not do this? iptables has provisions for time-of-day and day-of-week allowances/blockages.

There is more than one issue in this thread: A) the time-of-day restrictions, and B) traffic shaping; so it might be a decent idea to deal with one issue at a time.

I've never used the iptables time-of-day/day-of-week functionality, but if I have some time, I'd be happy to play around with it.

Vague, crappy Pseudo-code:

1) if time_now="restricted download time" then drop everything but IM; allow IM; drop everything else.
2) if time_now="not restricted" then allow HTTP and whatever you want.

I haven't looked at the iptables script in the OP post, but if you're interested in this time-of-day matching (provided it is in fact something you could use to achieve your goal) then begin with the iptables man page and some of the many very good iptables tutorials online.

It is certainly possible to drop everything but HTTP (80), HTTPS (443), and IM, however for the IM, you'll have to know what ports and/or protocols the IM chatter uses, so you can match for that.

Sasha

Last edited by GrapefruiTgirl; 01-14-2010 at 12:56 PM.
 
1 members found this post helpful.
Old 01-14-2010, 01:06 PM   #4
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by GrapefruiTgirl View Post
Why could iptables by itself not do this? iptables has provisions for time-of-day and day-of-week allowances/blockages.
Can you please read again what OP wants: "Once the download limits are lifted,..."
 
Old 01-14-2010, 01:10 PM   #5
GrapefruiTgirl
Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
Quote:
Originally Posted by nimnull22 View Post
Can you please read again what OP wants: "Once the download limits are lifted,..."
Ok, done. What am I missing?
 
Old 01-14-2010, 01:14 PM   #6
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
He needs a simple script, which will parse "ifconfig" output and calculate amount of downloaded data for the day period, then change rules in iptables.

I think this is easiest way.
 
Old 01-14-2010, 01:18 PM   #7
GrapefruiTgirl
Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
OHHHHH

I did not get that from reading. Thank you nimnull, I understand now what you're saying.

I thought the OP wanted to block all potential for downloading during the "restricted" period, but then after a certain TOD when the "restriction" got lifted, allow freely downloading.

Now, if I understand right, the OP wants to essentially "shut off the tap" when the limit has been reached for the day.

Gotcha, thanks.
Sasha
 
Old 01-14-2010, 05:20 PM   #8
qprfact
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Thanks for all your responses!

Sorry, my fault for being a bit ambiguous in my original post - when I referred to "once the download limits are lifted" I WAS talking about time of day - 6pm in my instance - as after that time the limits no longer apply (i.e. the limits are 9am - 6pm Mon - Fri)

Therefore I have no problems with two sets of rules - one for 9-6, the other for rest of the time - but the former needs to be very restricted in what can be done to avoid the limits being breached - hence the suggestion of allowing IM and maybe a couple of URLs. Outside of those hours, HTTP/S can be "opened up", but ideally with the network still kept as secure as possible.

The traffic shaping aspect comes into play during those hours, purely so that if a member of the household is downloading or streaming they are not "hogging the connection" to the detriment of all others.

The approach that GrapefruiTgirl suggests in the "vague, crappy Pseudo Code" (it's not!) is exactly what I am after with my first issue. The trouble is, my rules, which I thought would achieve this outcome, don't! Instead they drop everything, despite the fact that I believe I have written them in such a way that IM and HTTP/S would work. Trouble is, I've read many tutorials now, and none of them seem to cover this particular issue.

Hope this clarifies things a bit - sorry if I wasn't exact enough initially, but it sounds like you understand what I want to achieve, so here's hoping you can assist.

Thanks in advance!
 
Old 01-15-2010, 10:32 AM   #9
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Ok, as you have managed to confuse many people here already, please explain what exactly you want to work:
1. Since 9-6 (I assume it 9 a.m. - 6 p.m.)
2. The rest.

Thanks
 
Old 01-15-2010, 11:06 AM   #10
qprfact
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Sorry, thought that had clarified things!

Yes, it is 9am - 6pm, Mon - Fri

Outside of those hours, I want http, IM, etc, all allowed, ideally with traffic shaping. Anything NOT specified is to DROP / REJECT

Inside those hours, I want IM to be allowed, and http to a small number of URLs (such as Facebook). Traffic shaping not required then. As before, anything not specified is to DROP / REJECT

Does that help?

Thanks!
 
Old 01-15-2010, 12:11 PM   #11
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
First, you have to enable forwarding by
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
Then, delete everything from FORWARD chain and add:
-A FORWARD -s 192.168.2.10/32 -p tcp --dports 80 -j ACCEPT
-A FORWARD -d 192.168.2.10/32 -p tcp --dports 80 -j ACCEPT
-A FORWARD -j DROP
Those for 9am - 6pm, Mon - Fri

For "Outside of those hours" leave FORWARD empty, as your default rule is ACCEPT.

Try this, if http will work from computer with IP=192.168.2.10, we will add other rules.
Use cron to change them.
 
Old 01-15-2010, 03:26 PM   #12
qprfact
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Thanks very much! I tried
Code:
cat /proc/sys/net/ipv4/ip_forward
first and got a value of 1, but nonetheless I used the command you said and then the lines of code in the iptables - I had to change from dports to dport, but then the code was accepted on machine 192.168.2.4 (the easiest one for me to test on)

And .....

Neither HTTP or IM are working.

Have I done something wrong? I was really thinking this was working as well!
 
Old 01-15-2010, 03:40 PM   #13
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by qprfact View Post
Thanks very much! I tried
Code:
cat /proc/sys/net/ipv4/ip_forward
first and got a value of 1, but nonetheless I used the command you said and then the lines of code in the iptables - I had to change from dports to dport, but then the code was accepted on machine 192.168.2.4 (the easiest one for me to test on)

And .....

Neither HTTP or IM are working.

Have I done something wrong? I was really thinking this was working as well!
Those rules for IP=192.168.2.10/32, packets from other IP will be dropped, you have to try from that computer or tell us what ethernet card sees to LAN: eth1 or eth2 or eth3?

Last edited by nimnull22; 01-15-2010 at 03:58 PM.
 
Old 01-15-2010, 03:58 PM   #14
qprfact
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Yes, I was using 192.168.2.4 and checking access from that IP only.

You say about ethernet card - is this on the server or on 192.168.2.4 and do I find this via ifconfig?
 
Old 01-15-2010, 04:02 PM   #15
qprfact
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
This is what ifconfig on 192.168.2.4 says:

Quote:
eth0 Link encap:Ethernet HWaddr 00:18:8b:77:32:bf
inet addr:192.168.2.4 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::218:8bff:fe77:32bf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3310217 errors:0 dropped:0 overruns:0 frame:0
TX packets:2268940 errors:0 dropped:0 overruns:0 carrier:0
collisions:595145 txqueuelen:1000
RX bytes:2842754434 (2.8 GB) TX bytes:376712060 (376.7 MB)
Interrupt:19

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8025 errors:0 dropped:0 overruns:0 frame:0
TX packets:8025 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:504553 (504.5 KB) TX bytes:504553 (504.5 KB
 
  


Reply

Tags
http, im, iptables, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Assistance with iptables Ruler2112 Linux - Security 3 06-08-2009 12:18 PM
iptables -- restricting source access prn Linux - Security 3 03-10-2006 09:46 AM
Restricting access Menestrel Linux - Newbie 1 06-07-2005 08:17 AM
iptables: restricting forwarding?? funkymunky Linux - Security 10 03-15-2005 02:12 PM
Restricting XWindows remote connections (iptables) Harpune Linux - Networking 4 02-17-2004 06:03 AM


All times are GMT -5. The time now is 07:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration