LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 02-21-2013, 03:13 AM   #1
nitya
LQ Newbie
 
Registered: Feb 2013
Location: India
Distribution: RedHat, Cent, Fedora, Ubuntu
Posts: 20

Rep: Reputation: Disabled
Block outgoing for particular user at particular time using iptables


Hi All,
I am using Ubuntu 12.04 LTS, and I wanted to block everything to particular user at particular time. For that I ran
Code:
iptables -I OUTPUT 1 -o eth0 -m owner --uid-owner 1002 -m time --timestart 12:00 --timestop 15:00 -j DROP

iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             owner UID match user TIME from 12:00:00 to 15:00:00 UTC
ACCEPT     all  --  anywhere             anywhere
My PC is having only one LAN interface i.e eth0 and expecting to block uid 1002. But nothing is blocked and if I login from username "user"(uid=1002) and try to browse, internet is working.
How can I block everything of outgoings to username "user" at particular time.
Any help would really be appreciated.
Thansk in advance for your kind help.
 
Old 02-21-2013, 04:17 AM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,225

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Did you restart the iptables service after changing the cfg?
Can you show the iptables cfg file content?
 
Old 02-21-2013, 04:51 AM   #3
nitya
LQ Newbie
 
Registered: Feb 2013
Location: India
Distribution: RedHat, Cent, Fedora, Ubuntu
Posts: 20

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by chrism01 View Post
Did you restart the iptables service after changing the cfg?
Can you show the iptables cfg file content?
Thanks for the reply chrism01,
Please find below
Code:
# date
Thu Feb 21 15:59:34 IST 2013

# iptables -R OUTPUT 1 -o eth0 -m owner --uid-owner 1002 -m time --timestart 15:30 --timestop 16:30 --weekdays Mo,Tu,We,Th,Fr -j DROP

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             owner UID match user TIME from 15:30:00 to 16:30:00 on Mon,Tue,Wed,Thu,Fri UTC

# service iptables restart
iptables: unrecognized service

# service ufw restart
ufw stop/waiting
ufw start/running
But nothing is blocked and everything is working.

Code:
$ whoami
user

$ ping -c2 google.com
PING google.com (173.194.36.33) 56(84) bytes of data.
64 bytes from bom04s02-in-f1.1e100.net (173.194.36.33): icmp_req=1 ttl=53 time=36.0 ms
64 bytes from bom04s02-in-f1.1e100.net (173.194.36.33): icmp_req=2 ttl=53 time=31.3 ms

--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.336/33.693/36.050/2.357 ms
Tried also this rule
Code:
# date
Thu Feb 21 16:07:18 IST 2013

# iptables -R OUTPUT 1 -p tcp -m multiport --dports 80,443 -m time --timestart 15:30 --timestop 16:30 --weekdays Mo,Tu,We,Th,Fr -j DROP

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             multiport dports http,https TIME from 15:30:00 to 16:30:00 on Mon,Tue,Wed,Thu,Fri UTC

# iptables-save 
# Generated by iptables-save v1.4.12 on Thu Feb 21 16:11:12 2013
*mangle
:PREROUTING ACCEPT [6539:4642769]
:INPUT ACCEPT [6232:4584075]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4540:496552]
:POSTROUTING ACCEPT [4551:498199]
COMMIT
# Completed on Thu Feb 21 16:11:12 2013
# Generated by iptables-save v1.4.12 on Thu Feb 21 16:11:12 2013
*nat
:PREROUTING ACCEPT [649:105495]
:INPUT ACCEPT [342:46801]
:OUTPUT ACCEPT [590:38172]
:POSTROUTING ACCEPT [590:38172]
COMMIT
# Completed on Thu Feb 21 16:11:12 2013
# Generated by iptables-save v1.4.12 on Thu Feb 21 16:11:12 2013
*filter
:INPUT ACCEPT [3414:3275369]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2848:309928]
-A OUTPUT -p tcp -m multiport --dports 80,443 -m time --timestart 15:30:00 --timestop 16:30:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
COMMIT
# Completed on Thu Feb 21 16:11:12 2013

# service ufw restart
ufw stop/waiting
ufw start/running

# service iptables restart
iptables: unrecognized service
But still both http and https sites are working. Is restarting service is correct in ubuntu? i.e
Code:
"service ufw restart"

Last edited by nitya; 02-21-2013 at 04:55 AM.
 
Old 02-21-2013, 05:05 AM   #4
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Kubuntu
Posts: 1,190

Rep: Reputation: 301Reputation: 301Reputation: 301Reputation: 301
Are you aware of that time is set in UTC? Check bigger range ex. 01:00 - 23:00 if that working. If you change rules "by hand" with iptables command, then do not restart firewall, it will replace entries from some config file. Fot testing use only iptables command, it works immediately, until next reboot.
 
Old 02-21-2013, 05:09 AM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,225

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Unfortunately I'm not familiar with Ubuntu; its possible the ufw service uses a different cfg file.

Googling around I find it does have a different setup/cmds. You'll need to check this page https://wiki.ubuntu.com/Uncomplicate...UbuntuFirewall and read the relevant manual.
You may have to ask at Ubuntu's home site for clarifications, but do please post the soln here for others' benefit.
 
Old 02-21-2013, 06:49 AM   #6
nitya
LQ Newbie
 
Registered: Feb 2013
Location: India
Distribution: RedHat, Cent, Fedora, Ubuntu
Posts: 20

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by eSelix View Post
Are you aware of that time is set in UTC? Check bigger range ex. 01:00 - 23:00 if that working.
Thanks for the reply eSelix, I didn't understand "time is set in UTC" what does it mean in iptables?
I Tried
Code:
iptables -R OUTPUT 1 -p tcp -m multiport --dports 80,443 -m time --timestart 01:00 --timestop 23:00 --weekdays Mo,Tu,We,Th,Fr -j DROP
But this time I didn't restart any service and the above rule worked great as I had expected(i.e apart from connecting port 80,443 everything(ping, ssh, etc... should work),
But I want some short time range i.e for maximum 2-3 hours then how can I write rule, please help.
 
Old 02-21-2013, 07:37 AM   #7
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Kubuntu
Posts: 1,190

Rep: Reputation: 301Reputation: 301Reputation: 301Reputation: 301
That means this rule worked from the begining but your specified time range was incorrect. UTC means Universal Coordinated Time Maybe you known that world is divided into time zones. For example in Poland we have +1 hour to time in Greenwich (where meridian is 0) in India you have +05:30. We also have 1 additional hour on summer time. This is quite complicated to use when we need for example synchronize times, specify time for users in another time zone, etc. So the world use something universal, that is UTC, time common to whole world. And when you specify time in iptables your computer treat it defined as UTC. It is different than your local time. To get information what time you currently have in UTC you can write
Code:
date -u
So, if your timezone is UTC+5:30 then 15:30 (your local time) is 10:00 in UTC.
 
1 members found this post helpful.
Old 02-21-2013, 11:03 AM   #8
nitya
LQ Newbie
 
Registered: Feb 2013
Location: India
Distribution: RedHat, Cent, Fedora, Ubuntu
Posts: 20

Original Poster
Rep: Reputation: Disabled
Thank you very much eSelix,
Good explanation about UTC.
I could successfully block particular outgoing at particular time for particular user. For that first I foung out the UTC time for particular local time by changing the local time that I want block from and till using
"sudo date mmddhhmmyyyy" (month, date, time[hour and minutes] and year)
then ran "date -u" command to find out currect UTC. And then according to that UTC, I could made a UTC time list that I want to block. So worked great as expected.
For example here is a rule I have made to block http and https to uid 1002 from 08:30 pm to 05:30 am(according to my area) on only Mon,Tue,Wed,Thu,Fri
Code:
iptables -R OUTPUT 1 -o eth0 -m owner --uid-owner 1002 -p tcp -m multiport --dports 80,443 -m time --timestart 15:00 --timestop 23:59 --weekdays Mo,Tu,We,Th,Fr -j DROP
Then logged in from "user" username and tried browsing but port 80 and 443 sites were not working. Tried from different users at same time and found everything is working. Then I changed time to then which is not in OUTPUT rule and then logged in using "user" userame and tried browsing everything was working.

This is what I had really expected, thank you very much eSelix.
 
Old 02-21-2013, 11:45 AM   #9
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Kubuntu
Posts: 1,190

Rep: Reputation: 301Reputation: 301Reputation: 301Reputation: 301
Remember that these rules go away after reboot. If you use ufw, then it has somewhere in /etc/ufw script files for persistent changes. I don't known which, because do not using it, but it should be explained in manual.
 
Old 02-21-2013, 08:11 PM   #10
nitya
LQ Newbie
 
Registered: Feb 2013
Location: India
Distribution: RedHat, Cent, Fedora, Ubuntu
Posts: 20

Original Poster
Rep: Reputation: Disabled
Thanks eSelix,

No problem, I saved current firewall rules to a file and added restore entry in /etc/rc.local file.
Code:
iptables-restore < /root/firewal
Now whenver PC reboots the current firewall rules automatically comes back.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] how can I block network access to a user without iptables owner module? Mikro Linux - Networking 2 08-18-2012 08:31 AM
Block a user account some time kopper27 Linux - Newbie 1 06-30-2010 04:00 PM
Block all outgoing requests from IP. (iptables+OpenVZ) sappi Linux - General 3 01-10-2010 02:50 PM
trying to block user from accessing external web site with iptables Histamine Linux - Networking 1 08-10-2007 07:43 AM
Iptables/Guarddog - how to block specific outgoing packets craftybytes Linux - Security 7 05-19-2006 12:26 AM


All times are GMT -5. The time now is 12:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration