I have ip masquerading working fine. But the problem is it allows access to the internet at all times. I want to be able to turn off my 9 year old son's internet access after 9pm for instance. Can this be done?

also - what is the difference between iptables and ipchains? I am doing ip masquerading by manually running /etc/rc.d/rc.firewall. Would that file be performing the iptables (or) ipchains commands for me?

Thanks in advance!

I want to be able to turn off my 9 year old son's internet access after 9pm for instance. Can this be done?
Sure. There are two ways to do this:

1) Create 2 firewall scripts, say "normal" and "night-time". Use your current rules as the "normal" script and in the second script block traffic from your son's computer IP (like: iptables -I FORWARD -s XXX.XXX.XXX.XXX -j REJECT). Then have the normal script run by cron in the morning and the night-time script run at 9pm.

2) Use the iptables match extensions called "time". I don't believe it's included by default, so you would have to use netfilter's patch-o-matic to include support for the "time" match and then recompile the kernel.

If you simply want to turn access on and off, using option 1 will be much more simple. Option 2 works better if you want really complexly scheduled rulesets.

What is the difference between iptables and ipchains?
Think of iptables as an upgrade. It allows for statefull firewall and is significantly more powerful and flexible than ipchains. If you are even considering which one to use, I would strongly suggest iptables.

I am doing ip masquerading by manually running /etc/rc.d/rc.firewall. Would that file be performing the iptables (or) ipchains commands for me?
Again, you could use your current rules as the "normal" set and then simply block forwarding to your son's comp. For iptables the rule would look something like:
iptables -I FORWARD -s XXX.XXX.XXX.XXX -j REJECT (where XXX... would be your son's IP)

For ipchains:
ipchains -I forward -s XXX.XXX.XXX.XXX -j REJECT

So would you suggest I reconfigure my home network and assign ip addresses in that case? I was hoping to do it by username login. Because what would keep him from learning how to change his ip address?

I currently have my linux server dialing out to the internet. I have a netgear router(from a previous home that I had cable internet service at) assigning ip addresses to my internal network (double firewalled sorta). DHCP is sure easy - but I guess it wouldn't take much to just go and assign ip addys.

I think I'm kind of confused about your setup and how you'd like to restrict access. Could you explain it a bit more? Does your son use the same computer as you and you'd like to limit just his internet access from it or does your son have a completely seperate computer that connects through your linux box?

I have a linux server that dials out to the internet. My Netgear router acts as a secondary firewall and my DHCP server (and a switch). Me, my wife and my son each have a separate computer that gets it's ip address from the router.

I suppose I can go and specify ip addresses for each computer and create a "nite-time" rc.firewall file, but I was hoping to be able to specify dates and times each user is allowed ip forwarding. (kind of like you can do with active directory on a windows server).

I think netfilter's time extension is the best solution. As Capt_Caveman said, it's not included by default and requires to be applied by patch-o-matic (or by hand) and recompiling kernel. After that a rule like below would help you..

iptables -I FORWARD -s XXX.XXX.XXX.XXX \
-m time --timestart 21:00 --timestop 23:00 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j REJECT

But notice that! When you insert a rule to be valid between 21:00 and 08:00, iptables will just allow the traffic NOT in 21-8. I don't know why but it doesn't understand that we want to say 21 to 8 in the morning. Maybe this could be pathced.

You can also apply rules like these in your child's computer. I hope (s)he doesn't know iptables :-)

iptables v1.2.8: Couldn't load match `time':/lib/iptables/libipt_time.so: cannot open shared object file: No such file or directory


Any ideas?

I found that I can do this:
iptables -A OUTPUT -m owner --uid-owner XXX -j REJECT

But I get an "invalid argument" message when I try to apply it.

We mean that when writing "not included by default and requires patching and recompiling the kernel". So you have to

- download a kernel source
- patch the kernel source using patch-o-matic (or "patch-o-matic is dead, viva patch-o-matic-ng)
- do a `make menuconfig' (or make confýg or make xconfig) and select your new extension from Netfilter part (as i remember it's similar to `TIME MATCH')
- recompile your kernel (there are lot's of tutorials about these)
- install and boot your new kernel

And unfortunately owner extension also requires these steps as i remember :-(
But notice that! owner match is valid only for OUTPUT chain.. i mean you can use it only at your child's computer to block outgoing traffic as created by user my_son. Hope these helps.