LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Inter Access Limit Scedule (https://www.linuxquestions.org/questions/linux-newbie-8/inter-access-limit-scedule-315558/)

dark_bringer 04-20-2005 11:46 PM
Inter Access Limit Scedule
 
I have some question regarding limit internet access during spesific time.
So far i only use squid acl, but as far i see that can only limit browsing access but for other like chatting program still can access.
I try use configuration at rc, from that i can block it but i can not found for scedule.
So the point is :
08.00 - 11.30 can only for email
11.30 - 13.30 internet free use
13.30 - 17.00 can only for email
17.00 - 08.00 internet free use

can anyone tell me or direct me to some link

thank you

Oliv' 04-21-2005 08:26 AM
Hello,

For HTTP/FTP protocol (internet), use squid + ACL to restrict access.
For other protocol (POP/SMTP/IMAP/MSN...) use a cron job which will dynamically change your iptables rules and deny the corresponding port.

dark_bringer 04-21-2005 11:17 PM
Thank for the reply. I still seacrh through the net for more detail about about cron job.
Another question please : ^ ^

Here roughly my cron job :

* 08-12 * * 1-5 root run-parts /etc/schedule_access
* 14-17 * * 1-5 root run-parts /etc/schedule_access
* 09-12 * * 6 root run-parts /etc/schedule_access
* 14-16 * * 6 root run-parts /etc/schedule_access

and in the /etc/schedule_access i put this command :

iptables -I FORWARD -p all -i eth1 -s 192.168.2.219/32 -o eth0 --dport 1:24 -j drop
iptables -I FORWARD -p all -i eth1 -s 192.168.2.219/32 -o eth0 --dport 27:109 -j drop
iptables -I FORWARD -p all -i eth1 -s 192.168.2.219/32 -o eth0 --dport 111-65535 -j drop

If the command like above can be work to limit all access accept email ?

Oliv' 04-22-2005 07:17 AM
According the best and easiest solution to do that is to deny all and then to accept connection for port 25 and 110...
so should be something like that:
Code:
iptables -p tcp -j REJECT --reject-with tcp-reset
iptables -p tcp --dport 25 -m state --state NEW -j ACCEPT # SMTP
iptables -p tcp --dport 110 -m state --state NEW -j ACCEPT # POP3
Another thing.. you have to do a cron job at 8:00 to deny all except mail and do another one at 12:00 to re-enable initial state (the state before 8:00)... and the same thing for 14:00 and 17:00

dark_bringer 04-24-2005 10:00 PM
But i want some IP (my boss wanted) free to acces any time.
With the code you gave me, it will block all access during spesific time.
That why i still confuse how to block range IP, so far i know must declare one by one there so many IP to declare :eek: .
I use 2 section IP 10.10.1.xxx and 192.168.2.xxx. This will be problem if i must declare one by one :(

Oliv' 04-26-2005 09:17 AM
Well if all denied address are on the same sub-network, use the -s option with a netmask else you have to use a bash script.
For example create a file with denied IP and do:
Code:
#!/bin/bash

if [ -f deny_ips.txt ]
then
        for DENY_IP in `cat badips.txt`
        do
                iptables -A INPUT -s $DENY_IP -j DROP
        done
else
        echo "Can't read deny_ips.txt"
fi

dark_bringer 04-28-2005 09:01 PM
OK, Thanks.
I will give it try :)


All times are GMT -5. The time now is 10:55 PM.