LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-03-2006, 05:47 PM   #1
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Rep: Reputation: 15
activateing "time" function in iptables


Is there anyone out there that can guide me through the process of enableing the "time" function in iptables. I believe this invloves re-compiling the kernal.

Alternatively, offer another solution to doing time based blocking of particular IP addresses on FC4 box that is being used as an internet server (squid / dansguardian)
 
Old 05-03-2006, 06:15 PM   #2
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 62
What you are after is the hashlimit option. Here is a line I use in my Iptables script to limit the ssh connection over time. Yes hashlimit needs to be compiled as module in the netfilter/ipv4 section of the kernel config. Not sure if default in kernel. Doubt it is but to check goto /lib/modules/<current_running_kernel_version/net/ipv4/netfilter/ipt_hashlimit.ko

$IPTABLES -A INPUT -p tcp -i eth0 --syn --dport 22 -m hashlimit --hashlimit-name SSH --hashlimit 2/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-htable-expire 600000 -j ACCEPT

Brian1
 
Old 05-03-2006, 06:36 PM   #3
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Original Poster
Rep: Reputation: 15
Not at home at the moment so can't check, but the above sounds like it would limit session times, I want to limit access times, ie only allow access between 6pm and 9pm.
 
Old 05-03-2006, 07:46 PM   #4
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 62
You can use cron to start an iptables command to block and then later remove the iptable command. Yes the above stops ssh connections for a period of time from harrasling IP's. This was some weird thing about a year ago. Just about blogs down the ssh server if the attack prosist.

Brian1
 
Old 05-03-2006, 09:18 PM   #5
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Original Poster
Rep: Reputation: 15
That sounds like the go, never used cron before, and still haven't figured scripts out yet, but I'll get there. Thanks for the suggestion.

Regards
 
Old 05-04-2006, 06:16 AM   #6
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Original Poster
Rep: Reputation: 15
Hi

Figured out scripts, and found a tutorial on cron. I've tested the scripts by running them manually and they do exactly what I want. I have edited the root table in the cron.d directory. I put an entry in the cron table that writes a line to a text file every minute, and that worked fine, so I know cron is working, but my iptables scripts don't appear to be executing.

I have read that any error output is sent as an email to the table owner, I have no idea how to check that as I don't have email setup on this box, and have no interest in doing so. I read somewhere that I can pipe the output elsewhere if I want, but how, I'm still learning the linux way.


cron table has the following entry

30 21 * * * * /DataServer/Kids_IP_Off

The above mentioned script has 2 lines, first is an echo statement, second is an iptables command to reject packets from a particular ip address, and this script works.


Q1) Is there anything wrong with the above

Q2) How do I pipe the output to a file so I can see why its not working ?

Regards

Keith
 
Old 05-04-2006, 04:45 PM   #7
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 62
To see if there are any errors run the script in a terminal session and see what errors it shows and post.
Post script contents.

Brian1
 
Old 05-04-2006, 05:48 PM   #8
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Original Poster
Rep: Reputation: 15
I have run the scripts in a terminal session and they work fine, the entries show in the iptables, and no errors are reported. Its only running them by cron that they don't work.
 
Old 05-04-2006, 07:27 PM   #9
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 62
Posting the script contents might help understand the issue.

Is it executable?
Are you using the full path to iptable command?
What shell you using for the script?

Brian1
 
Old 05-05-2006, 12:56 AM   #10
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Original Poster
Rep: Reputation: 15
Ok, heres the root file from /var/spool/cron
The last entry for dansguardian log rotation hasn't yet been tested, but I did have another entry in here that added to a test file every minute, and that worked.


# Minute(0-59) Hour(0-23) Day(0-31) Month(1-12) DayofWeek(0-6, 6 = Sun)
30 21 * * * /DataServer/Manthy_IP_Off
30 20 * * * /DataServer/NefNef_IP_Off
00 16 * * * /DataServer/Kids_IP_On
59 23 * * sat /etc/dansguardian/logrotation

Ok and here is the script that wont work under cron, but works fine from a terminal window. This file has permissions 755. This file is located in /DataServer


# This script is run by cron.
#
# It will disable the Samantha IP addresses access to the internet at the required time
#
clear
echo "Disable Samanthas IP addresses"
iptables -A INPUT -s 192.168.0.30/32 -j REJECT
iptables -A INPUT -s 192.168.0.81/32 -j REJECT

Was just checking whether it mattered where I was when I entered the iptables command, and found that the script appears to have executed 4 times since I last looked last night (18 hours ago), so bit confused now, will continue to send this anyway, but will do some more checking

I don't know what 'type' of shell I'm using, I right cliick on the desktop and select "Open Terminal"

Regards


Keith
 
Old 05-05-2006, 01:23 AM   #11
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,347

Rep: Reputation: 2365Reputation: 2365Reputation: 2365Reputation: 2365Reputation: 2365Reputation: 2365Reputation: 2365Reputation: 2365Reputation: 2365Reputation: 2365Reputation: 2365
When you get the cmd line, use;
echo $SHELL
probably get /bin/bash
For the script itself, try appending
30 20 * * * /DataServer/NefNef_IP_Off >/tmp/off.log 2>&1
which should capture the output/error channels to the file.
 
Old 05-05-2006, 03:15 PM   #12
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 62
Ok add the line to the beginning of the script for the bash shell.
#!/bin/sh

Do not let the # fool you the use of it is marker to know what the file is. The same thing like in a Windows exe file. Ever .exe file in windows when viewed with an editor will have the same two characters.

Now make sure it is executable by running the command chmod +x name_of_file.

You can change the ' echo "Disable Samanthas IP addresses" ' to something like this to send to gui desktop.
xmessage -center "Disable Samanthas IP addresses"

Brian1
 
Old 05-05-2006, 06:36 PM   #13
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Original Poster
Rep: Reputation: 15
tried chrism01 suggestion of sending output to a log file, and it came back saying coundn't find the iptables command, so I guess I've got path issues. I have tried typing the iptables command from a variety of places in the directory structure and it always works, so don't understand why it wont in when the script is run by Cron, particular when I run the script myself and it works fine.
 
Old 05-05-2006, 07:19 PM   #14
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 62
Change to this and see if it works. Usually iptables is in /sbin.

# This script is run by cron.
#
# It will disable the Samantha IP addresses access to the internet at the required time
#
clear
echo "Disable Samanthas IP addresses"
/sbin/iptables -A INPUT -s 192.168.0.30/32 -j REJECT
/sbin/iptables -A INPUT -s 192.168.0.81/32 -j REJECT

As far as a path issue it depends If you the user owns the script then it is using the owners enviroment variables to run the script my guess. Never really consider that but that may be the case. In scripts I always use the complete path to the commands like iptables.

Brian1
 
Old 05-06-2006, 05:44 AM   #15
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Original Poster
Rep: Reputation: 15
In between my post and your, I tried putting the full path and now the script works perfectly from cron. Thanks very much for your help.

Regards


Keith
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
"substraction" and "division" function in OpenOffice Calc mac1234mac Linux - Software 7 12-03-2009 06:36 AM
Replacing "function(x)" with "x" using sed/awk/smth Griffon26 Linux - General 3 11-22-2006 10:47 AM
When "function pointer" meets "template"... I can't get rid of this compiling er cyu021 Linux - Software 3 12-17-2004 07:52 PM
"Function not implemented" error in call to "sem_open()" Krishnendu8 Linux - Newbie 1 06-07-2003 02:52 AM
"Function not imlemented" error in call to "sem_open()" Krishnendu8 Linux - Networking 0 06-07-2003 02:19 AM


All times are GMT -5. The time now is 03:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration