Ubuntu iptables - restricting access assistance
I have a small home network with a router to the outside world and an ubuntu server through which traffic passes first.
My ISP limits my download usage during the day, which traditionally has not been an issue, but now the children come in from school, boot up the internet and up goes my usage! Ideally I would like to be able to restrict them to IM and maybe certain specified URLs (I think the latter probably needs to use Squid though?). Once the download limits are lifted, I would like my iptables to allow HTTP, etc, but pretty much block most other things. If it is possible, traffic shaping to allow prioritisation would be ideal too. I have two sets of iptables currently to approach this issue, with a cron job that runs to swap between one and the other. My understanding is that Chains run in order, so if rule A says allow x, and rule B says drop all, then X should still be allowed. However, try as I may, this is not what happens in practice. I have even tried changing the overall order from ALLOW to DROP in FORWARD and then approach from the other angle. That didn't work either. *IS* it actually possible to block all but http / https and IM? These are my rules: Code:
# Generated by iptables-save v1.4.4 on Sat Jan 9 19:15:49 2010 |
Quote:
|
Why could iptables by itself not do this? iptables has provisions for time-of-day and day-of-week allowances/blockages.
There is more than one issue in this thread: A) the time-of-day restrictions, and B) traffic shaping; so it might be a decent idea to deal with one issue at a time. I've never used the iptables time-of-day/day-of-week functionality, but if I have some time, I'd be happy to play around with it. Vague, crappy Pseudo-code: 1) if time_now="restricted download time" then drop everything but IM; allow IM; drop everything else. 2) if time_now="not restricted" then allow HTTP and whatever you want. I haven't looked at the iptables script in the OP post, but if you're interested in this time-of-day matching (provided it is in fact something you could use to achieve your goal) then begin with the iptables man page and some of the many very good iptables tutorials online. It is certainly possible to drop everything but HTTP (80), HTTPS (443), and IM, however for the IM, you'll have to know what ports and/or protocols the IM chatter uses, so you can match for that. Sasha |
Quote:
|
Quote:
|
He needs a simple script, which will parse "ifconfig" output and calculate amount of downloaded data for the day period, then change rules in iptables.
I think this is easiest way. |
OHHHHH :redface:
I did not get that from reading. Thank you nimnull, I understand now what you're saying. I thought the OP wanted to block all potential for downloading during the "restricted" period, but then after a certain TOD when the "restriction" got lifted, allow freely downloading. Now, if I understand right, the OP wants to essentially "shut off the tap" when the limit has been reached for the day. Gotcha, thanks. Sasha |
Thanks for all your responses!
Sorry, my fault for being a bit ambiguous in my original post - when I referred to "once the download limits are lifted" I WAS talking about time of day - 6pm in my instance - as after that time the limits no longer apply (i.e. the limits are 9am - 6pm Mon - Fri) Therefore I have no problems with two sets of rules - one for 9-6, the other for rest of the time - but the former needs to be very restricted in what can be done to avoid the limits being breached - hence the suggestion of allowing IM and maybe a couple of URLs. Outside of those hours, HTTP/S can be "opened up", but ideally with the network still kept as secure as possible. The traffic shaping aspect comes into play during those hours, purely so that if a member of the household is downloading or streaming they are not "hogging the connection" to the detriment of all others. The approach that GrapefruiTgirl suggests in the "vague, crappy Pseudo Code" (it's not!) is exactly what I am after with my first issue. The trouble is, my rules, which I thought would achieve this outcome, don't! Instead they drop everything, despite the fact that I believe I have written them in such a way that IM and HTTP/S would work. Trouble is, I've read many tutorials now, and none of them seem to cover this particular issue. Hope this clarifies things a bit - sorry if I wasn't exact enough initially, but it sounds like you understand what I want to achieve, so here's hoping you can assist. Thanks in advance! |
Ok, as you have managed to confuse many people here already, please explain what exactly you want to work:
1. Since 9-6 (I assume it 9 a.m. - 6 p.m.) 2. The rest. Thanks |
Sorry, thought that had clarified things!
Yes, it is 9am - 6pm, Mon - Fri Outside of those hours, I want http, IM, etc, all allowed, ideally with traffic shaping. Anything NOT specified is to DROP / REJECT Inside those hours, I want IM to be allowed, and http to a small number of URLs (such as Facebook). Traffic shaping not required then. As before, anything not specified is to DROP / REJECT Does that help? Thanks! |
First, you have to enable forwarding by
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward -A FORWARD -s 192.168.2.10/32 -p tcp --dports 80 -j ACCEPT -A FORWARD -d 192.168.2.10/32 -p tcp --dports 80 -j ACCEPT -A FORWARD -j DROP Those for 9am - 6pm, Mon - Fri For "Outside of those hours" leave FORWARD empty, as your default rule is ACCEPT. Try this, if http will work from computer with IP=192.168.2.10, we will add other rules. Use cron to change them. |
Thanks very much! I tried
Code:
cat /proc/sys/net/ipv4/ip_forward And ..... Neither HTTP or IM are working. Have I done something wrong? I was really thinking this was working as well! |
Quote:
|
Yes, I was using 192.168.2.4 and checking access from that IP only.
You say about ethernet card - is this on the server or on 192.168.2.4 and do I find this via ifconfig? |
This is what ifconfig on 192.168.2.4 says:
Quote:
|
All times are GMT -5. The time now is 06:40 PM. |