I guess that there must be someone out there who has done this - just wondered how to go about it....

I have a samba server for a small windows network, running Debian woody. Its a very, minimal install, with no gui etc. The network is behind a NAT router which runs its own firewall, but I would like to configure the server to lock itself down overnight, just in case.

Could I do this with cron?

Are there any commands in iptables that would allow this to be done more simply?

Any pointers much appreciated!

Wolfpeach
x

There are really two ways to do this. You can use two firewall scripts and just have them run as cron jobs or you can use the netfilter extension "time" that is part of patch-o-matic. If you just plan on doing something fairly simple (like a set of normal rules and lockdown rules) then definitely go with cron. If you want really complex/overlapping timing of rules then go with patch-o-matic, though it does require patching the kernel and re-compiling

Capt Caveman - thank you!

Have been experimenting w cron, and although I seem to be able to use it to call an iptables script to lock the machine down, I cant get it to 'open up' again...

Here is the script I'm using for the 'nightshift' lockdown:

#######################
#!/bin/bash

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
#########################

and here is the one that is meant to clear it...

##########################
#!/bin/bash

iptables -D INPUT -j DROP
iptables -D OUTPUT -j DROP
########################

Called with the following lines in /etc/crontab:

# nightshift
45 0 * * * root /bin/nightshift
# firewall off
30 7 * * * root /bin/morning

The first script seems to work... the second doesnt... Both have been chmoded to make them executable.

Seems pretty basic to me... cant see why this is not working! Any ideas??

your lockdown script is useless.
it appends a drop rule to the END of the chain, after all the ALLOW rules.

your lockdown script should be....

iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

and your script to return the network to a working order should be

iptables -F
(now re run the boot-script that sets your firewall, in slackware it would be '/etc/rc.d/rc.firewall restart' it may be different for debian, maybe rc.iptables or somthing similar, or maybe rc.network even, read the scripts, see which one is responcible for firewall setup)

qwijibow - thanks for the info! Will give that a try...

You're right, my script was bad, but better to have a try at sth & stuff it up rather than go running to the gurus straight away

true...
maybe add an iptables -Z command to the start of the lackdown script (you shouldnt need it, but it cant hurt)