activateing "time" function in iptables
Is there anyone out there that can guide me through the process of enableing the "time" function in iptables. I believe this invloves re-compiling the kernal.
Alternatively, offer another solution to doing time based blocking of particular IP addresses on FC4 box that is being used as an internet server (squid / dansguardian) |
What you are after is the hashlimit option. Here is a line I use in my Iptables script to limit the ssh connection over time. Yes hashlimit needs to be compiled as module in the netfilter/ipv4 section of the kernel config. Not sure if default in kernel. Doubt it is but to check goto /lib/modules/<current_running_kernel_version/net/ipv4/netfilter/ipt_hashlimit.ko
$IPTABLES -A INPUT -p tcp -i eth0 --syn --dport 22 -m hashlimit --hashlimit-name SSH --hashlimit 2/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-htable-expire 600000 -j ACCEPT Brian1 |
Not at home at the moment so can't check, but the above sounds like it would limit session times, I want to limit access times, ie only allow access between 6pm and 9pm.
|
You can use cron to start an iptables command to block and then later remove the iptable command. Yes the above stops ssh connections for a period of time from harrasling IP's. This was some weird thing about a year ago. Just about blogs down the ssh server if the attack prosist.
Brian1 |
That sounds like the go, never used cron before, and still haven't figured scripts out yet, but I'll get there. Thanks for the suggestion.
Regards |
Hi
Figured out scripts, and found a tutorial on cron. I've tested the scripts by running them manually and they do exactly what I want. I have edited the root table in the cron.d directory. I put an entry in the cron table that writes a line to a text file every minute, and that worked fine, so I know cron is working, but my iptables scripts don't appear to be executing. I have read that any error output is sent as an email to the table owner, I have no idea how to check that as I don't have email setup on this box, and have no interest in doing so. I read somewhere that I can pipe the output elsewhere if I want, but how, I'm still learning the linux way. cron table has the following entry 30 21 * * * * /DataServer/Kids_IP_Off The above mentioned script has 2 lines, first is an echo statement, second is an iptables command to reject packets from a particular ip address, and this script works. Q1) Is there anything wrong with the above Q2) How do I pipe the output to a file so I can see why its not working ? Regards Keith |
To see if there are any errors run the script in a terminal session and see what errors it shows and post.
Post script contents. Brian1 |
I have run the scripts in a terminal session and they work fine, the entries show in the iptables, and no errors are reported. Its only running them by cron that they don't work.
|
Posting the script contents might help understand the issue.
Is it executable? Are you using the full path to iptable command? What shell you using for the script? Brian1 |
Ok, heres the root file from /var/spool/cron
The last entry for dansguardian log rotation hasn't yet been tested, but I did have another entry in here that added to a test file every minute, and that worked. # Minute(0-59) Hour(0-23) Day(0-31) Month(1-12) DayofWeek(0-6, 6 = Sun) 30 21 * * * /DataServer/Manthy_IP_Off 30 20 * * * /DataServer/NefNef_IP_Off 00 16 * * * /DataServer/Kids_IP_On 59 23 * * sat /etc/dansguardian/logrotation Ok and here is the script that wont work under cron, but works fine from a terminal window. This file has permissions 755. This file is located in /DataServer # This script is run by cron. # # It will disable the Samantha IP addresses access to the internet at the required time # clear echo "Disable Samanthas IP addresses" iptables -A INPUT -s 192.168.0.30/32 -j REJECT iptables -A INPUT -s 192.168.0.81/32 -j REJECT Was just checking whether it mattered where I was when I entered the iptables command, and found that the script appears to have executed 4 times since I last looked last night (18 hours ago), so bit confused now, will continue to send this anyway, but will do some more checking I don't know what 'type' of shell I'm using, I right cliick on the desktop and select "Open Terminal" Regards Keith |
When you get the cmd line, use;
echo $SHELL probably get /bin/bash For the script itself, try appending 30 20 * * * /DataServer/NefNef_IP_Off >/tmp/off.log 2>&1 which should capture the output/error channels to the file. |
Ok add the line to the beginning of the script for the bash shell.
#!/bin/sh Do not let the # fool you the use of it is marker to know what the file is. The same thing like in a Windows exe file. Ever .exe file in windows when viewed with an editor will have the same two characters. Now make sure it is executable by running the command chmod +x name_of_file. You can change the ' echo "Disable Samanthas IP addresses" ' to something like this to send to gui desktop. xmessage -center "Disable Samanthas IP addresses" Brian1 |
tried chrism01 suggestion of sending output to a log file, and it came back saying coundn't find the iptables command, so I guess I've got path issues. I have tried typing the iptables command from a variety of places in the directory structure and it always works, so don't understand why it wont in when the script is run by Cron, particular when I run the script myself and it works fine.
|
Change to this and see if it works. Usually iptables is in /sbin.
# This script is run by cron. # # It will disable the Samantha IP addresses access to the internet at the required time # clear echo "Disable Samanthas IP addresses" /sbin/iptables -A INPUT -s 192.168.0.30/32 -j REJECT /sbin/iptables -A INPUT -s 192.168.0.81/32 -j REJECT As far as a path issue it depends If you the user owns the script then it is using the owners enviroment variables to run the script my guess. Never really consider that but that may be the case. In scripts I always use the complete path to the commands like iptables. Brian1 |
In between my post and your, I tried putting the full path and now the script works perfectly from cron. Thanks very much for your help.
Regards Keith |
All times are GMT -5. The time now is 04:24 PM. |