Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a small home network with a router to the outside world and an ubuntu server through which traffic passes first.
My ISP limits my download usage during the day, which traditionally has not been an issue, but now the children come in from school, boot up the internet and up goes my usage!
Ideally I would like to be able to restrict them to IM and maybe certain specified URLs (I think the latter probably needs to use Squid though?). Once the download limits are lifted, I would like my iptables to allow HTTP, etc, but pretty much block most other things.
If it is possible, traffic shaping to allow prioritisation would be ideal too.
I have two sets of iptables currently to approach this issue, with a cron job that runs to swap between one and the other.
My understanding is that Chains run in order, so if rule A says allow x, and rule B says drop all, then X should still be allowed. However, try as I may, this is not what happens in practice. I have even tried changing the overall order from ALLOW to DROP in FORWARD and then approach from the other angle. That didn't work either.
*IS* it actually possible to block all but http / https and IM?
These are my rules:
Code:
# Generated by iptables-save v1.4.4 on Sat Jan 9 19:15:49 2010
*nat
:PREROUTING ACCEPT [583:45175]
:POSTROUTING ACCEPT [694:60887]
:OUTPUT ACCEPT [143:18642]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Jan 9 19:15:49 2010
# Generated by iptables-save v1.4.4 on Sat Jan 9 19:15:49 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [436:28062]
:OUTPUT ACCEPT [223:27990]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.5/32 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -j ACCEPT
-A INPUT -s 192.168.2.1/32 -p tcp -m tcp --dport 60344 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -p tcp -m tcp --dport 49744 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 139,145 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.2.10/32 -p udp -m multiport --dports 28910,29900,29901,29920,443 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A FORWARD -s 192.168.2.5/32 -j ACCEPT
-A FORWARD -s 192.168.2.3/32 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 1863 -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 80 -m comment --comment "http apache" -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 443 -m comment --comment "https apache" -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Jan 9 19:15:49 2010
Hopefully that is enough detail? Would be great if someone could assist!
Why could iptables by itself not do this? iptables has provisions for time-of-day and day-of-week allowances/blockages.
There is more than one issue in this thread: A) the time-of-day restrictions, and B) traffic shaping; so it might be a decent idea to deal with one issue at a time.
I've never used the iptables time-of-day/day-of-week functionality, but if I have some time, I'd be happy to play around with it.
Vague, crappy Pseudo-code:
1) if time_now="restricted download time" then drop everything but IM; allow IM; drop everything else.
2) if time_now="not restricted" then allow HTTP and whatever you want.
I haven't looked at the iptables script in the OP post, but if you're interested in this time-of-day matching (provided it is in fact something you could use to achieve your goal) then begin with the iptables man page and some of the many very good iptables tutorials online.
It is certainly possible to drop everything but HTTP (80), HTTPS (443), and IM, however for the IM, you'll have to know what ports and/or protocols the IM chatter uses, so you can match for that.
Sasha
Last edited by GrapefruiTgirl; 01-14-2010 at 12:56 PM.
He needs a simple script, which will parse "ifconfig" output and calculate amount of downloaded data for the day period, then change rules in iptables.
I did not get that from reading. Thank you nimnull, I understand now what you're saying.
I thought the OP wanted to block all potential for downloading during the "restricted" period, but then after a certain TOD when the "restriction" got lifted, allow freely downloading.
Now, if I understand right, the OP wants to essentially "shut off the tap" when the limit has been reached for the day.
Sorry, my fault for being a bit ambiguous in my original post - when I referred to "once the download limits are lifted" I WAS talking about time of day - 6pm in my instance - as after that time the limits no longer apply (i.e. the limits are 9am - 6pm Mon - Fri)
Therefore I have no problems with two sets of rules - one for 9-6, the other for rest of the time - but the former needs to be very restricted in what can be done to avoid the limits being breached - hence the suggestion of allowing IM and maybe a couple of URLs. Outside of those hours, HTTP/S can be "opened up", but ideally with the network still kept as secure as possible.
The traffic shaping aspect comes into play during those hours, purely so that if a member of the household is downloading or streaming they are not "hogging the connection" to the detriment of all others.
The approach that GrapefruiTgirl suggests in the "vague, crappy Pseudo Code" (it's not!) is exactly what I am after with my first issue. The trouble is, my rules, which I thought would achieve this outcome, don't! Instead they drop everything, despite the fact that I believe I have written them in such a way that IM and HTTP/S would work. Trouble is, I've read many tutorials now, and none of them seem to cover this particular issue.
Hope this clarifies things a bit - sorry if I wasn't exact enough initially, but it sounds like you understand what I want to achieve, so here's hoping you can assist.
Ok, as you have managed to confuse many people here already, please explain what exactly you want to work:
1. Since 9-6 (I assume it 9 a.m. - 6 p.m.)
2. The rest.
Outside of those hours, I want http, IM, etc, all allowed, ideally with traffic shaping. Anything NOT specified is to DROP / REJECT
Inside those hours, I want IM to be allowed, and http to a small number of URLs (such as Facebook). Traffic shaping not required then. As before, anything not specified is to DROP / REJECT
Then, delete everything from FORWARD chain and add:
-A FORWARD -s 192.168.2.10/32 -p tcp --dports 80 -j ACCEPT
-A FORWARD -d 192.168.2.10/32 -p tcp --dports 80 -j ACCEPT
-A FORWARD -j DROP
Those for 9am - 6pm, Mon - Fri
For "Outside of those hours" leave FORWARD empty, as your default rule is ACCEPT.
Try this, if http will work from computer with IP=192.168.2.10, we will add other rules.
Use cron to change them.
first and got a value of 1, but nonetheless I used the command you said and then the lines of code in the iptables - I had to change from dports to dport, but then the code was accepted on machine 192.168.2.4 (the easiest one for me to test on)
And .....
Neither HTTP or IM are working.
Have I done something wrong? I was really thinking this was working as well!
first and got a value of 1, but nonetheless I used the command you said and then the lines of code in the iptables - I had to change from dports to dport, but then the code was accepted on machine 192.168.2.4 (the easiest one for me to test on)
And .....
Neither HTTP or IM are working.
Have I done something wrong? I was really thinking this was working as well!
Those rules for IP=192.168.2.10/32, packets from other IP will be dropped, you have to try from that computer or tell us what ethernet card sees to LAN: eth1 or eth2 or eth3?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.