Inter Access Limit Scedule
I have some question regarding limit internet access during spesific time.
So far i only use squid acl, but as far i see that can only limit browsing access but for other like chatting program still can access. I try use configuration at rc, from that i can block it but i can not found for scedule. So the point is : 08.00 - 11.30 can only for email 11.30 - 13.30 internet free use 13.30 - 17.00 can only for email 17.00 - 08.00 internet free use can anyone tell me or direct me to some link thank you |
Hello,
For HTTP/FTP protocol (internet), use squid + ACL to restrict access. For other protocol (POP/SMTP/IMAP/MSN...) use a cron job which will dynamically change your iptables rules and deny the corresponding port. |
Thank for the reply. I still seacrh through the net for more detail about about cron job.
Another question please : ^ ^ Here roughly my cron job : * 08-12 * * 1-5 root run-parts /etc/schedule_access * 14-17 * * 1-5 root run-parts /etc/schedule_access * 09-12 * * 6 root run-parts /etc/schedule_access * 14-16 * * 6 root run-parts /etc/schedule_access and in the /etc/schedule_access i put this command : iptables -I FORWARD -p all -i eth1 -s 192.168.2.219/32 -o eth0 --dport 1:24 -j drop iptables -I FORWARD -p all -i eth1 -s 192.168.2.219/32 -o eth0 --dport 27:109 -j drop iptables -I FORWARD -p all -i eth1 -s 192.168.2.219/32 -o eth0 --dport 111-65535 -j drop If the command like above can be work to limit all access accept email ? |
According the best and easiest solution to do that is to deny all and then to accept connection for port 25 and 110...
so should be something like that: Code:
iptables -p tcp -j REJECT --reject-with tcp-reset |
But i want some IP (my boss wanted) free to acces any time.
With the code you gave me, it will block all access during spesific time. That why i still confuse how to block range IP, so far i know must declare one by one there so many IP to declare :eek: . I use 2 section IP 10.10.1.xxx and 192.168.2.xxx. This will be problem if i must declare one by one :( |
Well if all denied address are on the same sub-network, use the -s option with a netmask else you have to use a bash script.
For example create a file with denied IP and do: Code:
#!/bin/bash |
OK, Thanks.
I will give it try :) |
All times are GMT -5. The time now is 10:55 PM. |