Time limitations to online games
Hi,
I'm running a linux box as a home router / server / everything (busybox). I have SQUID configured with Dan's Guardian etc. and it all works well. Ok, now to my question....! My kids are getting a little bit TOO keen on some online multiplayer games (Runescape, Habbo Hotel etc.) Now, I don't want to completely deny access, but I want to limit it. I have set up Squid to control when they can get on the 'net, but the problem is that these games talk directly with the game server. This means that as long as they OPEN the site within the allowed times, they can stay on until either their mother or myself kicks them off! WHat I'dlike to do is to reconfigure the packet filters so that I can control the times that this traffic is allowed. But how? I read an interesting article on using POM to install an upgrade that gives a time-based rule, but this wouldn't install.. :( Can I use cron to re-configure the filters twice a day? HELP! As always, TIA for any advice. Paul |
Since you didn't say I'm assuming you are using IPTABLES on your box as well for a firewall. The good news is that IPTABLES supports a time match. This is the description from the netfilter/iptables project homepage
Code:
time - iptables ``time'' match The possibilities are great. I think it would be easier to implement a change in iptables instead of installing new software. Good luck and post back with an update. |
Hi,
Thanks for that. I think it's these options that POM adds to IPTABLES. Certainly, I don't have CONFIG_IP_NF_MATCH_TIME in my config, nor can I find where to switch it on in menuconfig :( I'll have a dig around though! |
how'd it go with this?? honestly, it didn't really sound like you needed the iptables time match, which is usually used in way more complex situations... IMHO setting an iptables script to run with crond at certain hours of the day might have been more than enough for you...
|
Hi!
Well, not too well so far, I'm afraid. It turned out that my kernel was too old for the latest Patch-O-Matic. After looking around to find out which version of POM matches my kernel and coming up empty-handed :scratch: , I tried to upgrade my kernel. This allowed the Time patch to be applied, but broke my USB cable modem and I haven't been able to fix it :cry: so it was back to the old one! The cron approach might end up being the only one I can use - I was hoping to do something a little more elegant (and learn a bit for future use as well ;) ) I could use some assistance with writing the scripts too..... Out of interest, what to you mean by Quote:
Thanks, Paul |
like, for example, in a corporate environment where you are dealing with all kinds of different departments, users, privilages, exceptions, variations, etc. and you need to be doing stuff like this *almost in real-time* 24 hours a day... in situations like that it would be more efficient to have time matches in your rules instead of re-configuring netfilter for every change... but for someone who just wants to set some limits as to what their kids can do after the sun goes down, well, it won't really make a difference wether you time match or cron it... in fact it won't even make a difference if you need to cron the re-configuration of netfilter several times a day, etc...
EDIT: actually, it will make a difference, as you can see with the patching you've done and your USB issue, hehe... it's just that it won't make a difference *to your kids*... :) as for the assistance with the scripts, sure, no problem... just post your current script, explain what you are doing with it, tell us about your setup (network, interfaces, etc.) and how you'd like the script to behave differently after X:Xpm or what have you... we'll do our best to help you out... BTW, having crond run commands for you at certain times is an easy thing to do... i think you will have fun learning how to use cron... i remember before i learnt cron it looked really weird and stuff but after i read a howto i liked it and realized it was very simple and now i use it all the time... http://en.wikipedia.org/wiki/Crontab EDIT #2: of course there are advantages to using a time match also, so please don't interpret my post as meaning "the cron method is better than the time match method"... it all depends... in fact, i can think of some reasons why it would be better to use the time match instead of cron - even in a simple at-home situation like this... i can help you with whatever method you choose, but since you are having issues patching your kernel for time match it seems like using cron at least for now isn't such a bad idea (it's better than nothing, hehe)... sorry for sounding like my own devil's advocate... i need more coffee... |
about your usb cable modem: are you sure you didn't need to apply some kinda third-party patch to get that working?? i'm just asking cuz i've always had an impression of usb cable modems being quite linux-unfriendly when it came to vanilla kernels... then again maybe times have changed... i'm still stuck on linux 2.4, hehe...
|
Thanks for the replies :D
Anyway, starting with the USB / kernel thing... Most odd. The kernel that works is 2.6.8.1, the one that doesn't is 2.6.15.1. The problem seems to be with the available options with menuconfig. No patches were applied to either to get the modem working (I'm running LFS 6.0, so know exactly what patches were applied). With the working config, in menuconfig, I have the following options (Device Drivers -->USB support section):- Code:
<*> USB Modem (CDC ACM) support Moving on... I understand how to set up cron, I've already got some cron scripts running, it's the IPTABLES I'm struggling with. Basically, setup is as follows:- Internal network on 192.168.1.0 attached to eth0 Cable modem appearing as eth1 The kids don't (yet) know about bypassing the proxy (squid) so I don't have filters stopping direct traffic from their computers (192.168.1.100 & 101) to the 'net. So what I need to do is to only allow routing to/from their computers between, say 3:30 and 7:00. Now, the IPTABLES script I do have (modified from BLFS) starts by clearing out the filters and then setting them ALL up from scratch. Do I need 2 full scripts, one which enables the routing and one which doesn't, then run the two scripts at 3:30 and 7:00 respectively, or can I simply modify the existing rules at those times? I hope that makes sense!!!! TIA Paul |
Quote:
Code:
USB Support > Support for Host-Side USB > either way, i think you're gonna have your cable modem working now that you know the location of the options you need, so let me know how it goes and wether you still wanna cron a couple scripts or time-match with one script... |
Cool, thanks for that... I am now running 2.6.15.1 ok (must be ok, coz I'm posting this with it ;))
Why oh why do they have to move these options around? :cry: I'd prefer to go with the single, time-based script (easier to maintain if I add in any other little tweaks later). I'll have to have a look at the howtos :study: and have a play, unless you can suggest the line(s) I need in my rc.iptables. I guess I want to set up a block for the addresses the kids use, outside the times they are allowed to play and put this fairly early in the script? Anyway, thanks again for the help! Paul |
okay so you have your time-match enabled kernel going, right??
question about squid: what version do you have and are you running it in transparent mode?? if you are concerned about the kids bypassing it then you should DEFINITELY be running it in transparent mode... when you say you wanna block the addresses the kids use, are you refering to IPs or domains?? also, please post your current iptables script so we can have a look... |
Wow am I impressed with the speed of you guys :D
Ok, I'm not TOO bothered about the SQUID thing, it isn't in transparent mode (I don't want to force myself and their mother through SQUID, the settings, particularly for Dan's Guardian, are a little TOO restrictive!) the kids haven't worked out (yet) how to change their proxy settings...... The time-enabled kernel certainly seems to be running ok now, although I now need to recompile IPTABLES itself before I can test (it does need re-compiling, right? Do I need a re-boot afterwards?) The kids machines are 192.168.1.100 & 192.168.1.101, so these are the addresses I want to restrict from direct access to the 'net. I want to deny access before 15:30 (weekdays) and 07:00 (weekends) and after 19:00 (all week). My current IPTABLES script is:- Code:
#!/bin/sh Also, as an aside, there is a line at the end (as you can see) which logs packets being forwarded. Where is this logged to? I can't find it!!! Yet again, TIA, Paul |
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
i've taken the liberty of cleaning your script up a bit, before adding the time matches: Code:
#!/bin/sh i can't test them cuz my PC's kernel doesn't have the time match patch... good luck!!! :) |
Grrrrr!
Ok, thanks for all that, I have re-compiled IPTABLES and rebooted, then I tried to issue a time-related command manually:- Quote:
Quote:
So I did a make clean on IPTABLES - no-go. If I look in the IPTABLES source directory tree (I'm at the limits of my knowledge here!) there is a file in the extensions directory called libipt_time.c and a second one called libipt_time.man, but the .so file is nowhere to be found. :cry: I also notice that all the other extensions have an additional file with a ".d" extension, but there is no libipt_time.d - is this significant? Finally, out of desperation, I watched a complete make of IPTABLES and didn't spot libipt_time being compiled... why not?????:mad: So I still have kids sitting up all night playing games (unless I stop them!!) :rolleyes: Finally, I'm not sure I fully understand your modified file.. My server is running DNS, DHCP, httpd, squid, SAMBA, postfix, ssh and ftp as well as squid, dansguardian and havp. Do I need to worry about exceptions for all of these using your config? Cheers! Paul |
You could just have a cron job that changes the iptables configuration by one rule. The cron job that allows access can run when they can start playing. The cron job that disallows access can run when they have to stop playing. Each cron job just adjusts one iptables rule. You can even have both jobs in one script to make it neat.
Here is an even simpler idea. Have one iptables setup script that is set up to allow games. Name that /etc/iptables-allow-script. Have another iptables setup script that denies games. Name that /etc/iptables-deny-script. These scripts are just the iptables commands to configure iptables. Then your cron job would just be one command. The command to run when they can start playing would just be iptables-restore < /etc/iptables-allow-script. The command to run when they have to stop playing would be iptables-restore < /etc/iptables-deny-script. The cron job approach seems a lot easier to me than trying to get iptables to change it's behavior based on the time of day. |
All times are GMT -5. The time now is 05:06 AM. |