[SOLVED] IPTABLES: Restrict Internet access based on time of day and MAC address
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
IPTABLES: Restrict Internet access based on time of day and MAC address
Hello everyone
I am trying to configure my Linux router to restrict Internet access for one computer on my LAN. It needs to be restrictive based on the time of day and the days of the week. I am using the MAC address of the computer to single out the one computer that needs to be blocked. However, this is my first attempt at making any rules with iptables, and I am not sure if I am doing this right. If some one can take a look at this I would greatly appreciate it. This is what I have done so far.
Here is my thinking. Create a new target. Check the MAC address, if it is NOT the offending computer return to the default chain. If it is the offending computer check that we are between the allowed hours and dates and ACCEPT. If we are not within the time/date range then drop the packet.
Code:
iptables -N blocked_access
iptables -A blocked_access -m mac ! --mac-source xx:xx:xx:xx:xx:xx -j RETURN
iptables -A blocked_access -m time --timestart 20:00 --timestop 22:00 --weekdays Sun,Mon,Tue,Wed,Thu --syn -j ACCEPT
iptables -A blocked_access -j DROP
Here I am trying to route all packets regardless of the computer on the LAN into the blocked_access chain for checking.
Is it a good idea to route all traffic through the blocked_access chain? I do run other servers that are accessible from the Internet, so I am not sure how this setup will affect that. I also use shorewall on the router to setup iptables for me. How would I integrate this with shorewall?
I am using squid to block access when he is using the web browser. However, he is still able to play games(World of Warcraft) and the like.
I am using Debian sid, iptable(1.4.6), shorewall(4.4.6), kernel 2.6.32-trunk-686.
If there is any other info you need let me know.
Thanks in advance
Scott
Last edited by ScottSmith; 02-06-2010 at 04:04 PM.
Reason: corrected iptables options
Click here to see the post LQ members have rated as the most helpful post in this thread.
You can do life of iptables easier, if will check only specific MAC:
iptables -A FORWARD -i eth1 -m mac --mac-source 00:00:00:00:00:01 -j blocked_access
The problem that I have now is that it blocks access regardless of the time. I placed all of the iptables commands into a very simple script file to help changing the timestart and timestop variables. Before I run this script I restart shorewall to clear any other changes that I have made, then I invoke the script with ./blocked_access timestart timestop
Code:
#! /bin/bash
iptables -N blocked_access
iptables -A blocked_access -j LOG --log-level DEBUG --log-prefix 'In BLOCKED_ACCESS: '
iptables -A blocked_access -m time --timestart $1 --timestop $2 --weekdays Sat -j ACCEPT
iptables -A blocked_access -j LOG --log-level DEBUG --log-prefix 'DROPPED MAC: '
iptables -A blocked_access -j DROP
iptables -I FORWARD -i eth1 -m mac --mac-source <MAC_ADDRESS> -j blocked_access
iptables -I FORWARD -j LOG --log-level DEBUG --log-prefix 'In FORWARD chain: '
Here is the output of the blocked_access chain
Code:
Chain blocked_access (1 references)
pkts bytes target prot opt in out source destination
33 1488 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `In BLOCKED_ACCESS: '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 TIME from 17:09:00 to 17:11:00 on Sat
33 1488 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `DROPPED MAC: '
33 1488 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
I noticed that the counters on the ACCEPT line are not increasing; it's as if it is being skipped by iptables.
Here is a snip it from the log file
Code:
Feb 6 17:29:28 router kernel: [157514.443112] In FORWARD chain: IN=eth1 OUT=eth0 SRC=192.168.10.186 DST=74.125.95.106 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14942 DF PROTO=TCP SPT=1359 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 6 17:29:28 router kernel: [157514.443134] In BLOCKED_ACCESS: IN=eth1 OUT=eth0 SRC=192.168.10.186 DST=74.125.95.106 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14942 DF PROTO=TCP SPT=1359 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 6 17:29:28 router kernel: [157514.443150] DROPPED MAC: IN=eth1 OUT=eth0 SRC=192.168.10.186 DST=74.125.95.106 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14942 DF PROTO=TCP SPT=1359 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
-A FORWARD -j LOG --log-prefix "In FORWARD chain: " --log-level 7
-A FORWARD -i eth1 -m mac --mac-source 00:0D:9D:59:9F:71 -j blocked_access
Code:
-A blocked_access -j LOG --log-prefix "In BLOCKED_ACCESS: " --log-level 7
-A blocked_access -m time --timestart 20:19:00 --timestop 20:22:00 --weekdays Sat -j ACCEPT
-A blocked_access -j LOG --log-prefix "DROPPED MAC: " --log-level 7
-A blocked_access -j DROP
OK, i will try to summarize, you check, because rules are complicated. I have no idea why. Anyway, according to your rules: FORWARD -i eth1, packets enter from ETH1. So:
First table MANGLE:
1. -A PREROUTING -j tcpre
I did not find that chain any more, so please check.
Second table NAT:
1. PREROUTING -j dnat
2. dnat -i eth1 -j loc_dnat
3. IF loc_dnat -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128, if not go to FORWARD chain.
Third FORWARD:
MANGLE forward:
1. -A FORWARD -j MARK --set-xmark 0x0/0xffffffff
2. -A FORWARD -j tcfor = I did not find that chain any more, so please check.
FILTER forward:
1. FORWARD -j LOG --log-prefix "In FORWARD chain: " --log-level 7
2. FORWARD -i eth1 -m mac --mac-source 00:0D:9D:59:9F:71 -j blocked_access
blocked_access -j LOG --log-prefix "In BLOCKED_ACCESS: " --log-level 7
blocked_access -m time --timestart 20:19:00 --timestop 20:22:00 --weekdays Sat -j ACCEPT
And here if "--timestart 20:19:00 --timestop 20:22:00 --weekdays Sat" we ACCEPT forward that packets.
If not, then go to
blocked_access -j LOG --log-prefix "DROPPED MAC: " --log-level 7
blocked_access -j DROP
If my thoughts are right, and you got at Feb 6 17:29:28
In FORWARD chain: IN=eth1 SRC=192.168.10.186 DST=74.125.95.106 ID=14942
In BLOCKED_ACCESS: IN=eth1 OUT=eth0 SRC=192.168.10.186 DST=74.125.95.106 ID=14942
DROPPED MAC: IN=eth1 OUT=eth0 SRC=192.168.10.186 DST=74.125.95.106 ID=14942
Everything works well, because "Feb 6 17:29:28" is not within "--timestart 20:19:00 --timestop 20:22:00"
I must have gotten my log files crossed with a different run. Sorry for the confusion.
The problem that I was having was issuing the command
Code:
-A blocked_access -m time --timestart 20:19:00 --timestop 20:22:00 --weekdays Sat -j ACCEPT
I would test that the connect was working before issuing the command, and it was. I would then issue the command and test the connection again.
If the time was 20:18 or 20:23 the connection was blocked, as it should be. However, the problem was when the time was 20:20 and the connection was still blocked. As you can see from ACCEPT rule; the pkts/bytes counter is still zero.
Code:
Chain blocked_access (1 references)
pkts bytes target prot opt in out source destination
33 1488 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `In BLOCKED_ACCESS: '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 TIME from 17:09:00 to 17:11:00 on Sat
33 1488 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `DROPPED MAC: '
33 1488 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
I appears to me that ACCEPT rule was being skipped and the packets fell through to the DROP rule. As I said earlier this is my first attempt at writing a iptable rule.
What I ended up doing was writing two scripts. The first is used to insert a rule that matches on the MAC address then drops the packet if there is a match. The second rule is used to delete the same rule. I then use a cron job to run the two scripts at the appropriate times. I hope this just a band aide until I can get some reading/research under my belt.
I would like to thanks you for taking the time answer my question and providing some advice.
Take care
Scott
Last edited by ScottSmith; 02-09-2010 at 03:26 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
