Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm running a linux box as a home router / server / everything (busybox). I have SQUID configured with Dan's Guardian etc. and it all works well.
Ok, now to my question....!
My kids are getting a little bit TOO keen on some online multiplayer games (Runescape, Habbo Hotel etc.) Now, I don't want to completely deny access, but I want to limit it.
I have set up Squid to control when they can get on the 'net, but the problem is that these games talk directly with the game server. This means that as long as they OPEN the site within the allowed times, they can stay on until either their mother or myself kicks them off!
WHat I'dlike to do is to reconfigure the packet filters so that I can control the times that this traffic is allowed. But how?
I read an interesting article on using POM to install an upgrade that gives a time-based rule, but this wouldn't install..
Can I use cron to re-configure the filters twice a day?
Since you didn't say I'm assuming you are using IPTABLES on your box as well for a firewall. The good news is that IPTABLES supports a time match. This is the description from the netfilter/iptables project homepage
Code:
time - iptables ``time'' match
Author: Fabrice MARIE <fabrice@netfilter.org>
Status: Works within it's limitations
This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time/date
(arrival time/date at the machine which the netfilter is running on) or
departure time/date (for locally generated packets).
Supported options are:
[ --timestart value ]
Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
[ --timestop value ]
Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
[ --days listofdays ]
Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
[ --datestart date ]
Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 1970)
[ --datestop date ]
Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 2037)
Example:
-A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
to Friday.
-A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
will match the packets (locally generated) that have a departure timestamp
in the range 8:00->18:00 on Monday only, until 2010
NOTE: the time match does not track changes in daylight savings time
To be honest I'm not sure what version of IPTABLES is required to have this match. You could search your kernel config for "CONFIG_IP_NF_MATCH_TIME" to see if it is an option and then enable it if it is not. You could use this time match to shut off the internet at any time you wish. Another interesting possibility is using the time match in conjunction with the IP of the machine (if they have their own computer) or you could use the owner match to restrict access. Using the owner match to restrict access in conjunction with the time match you could still access the internet but they cannot.
The possibilities are great. I think it would be easier to implement a change in iptables instead of installing new software. Good luck and post back with an update.
Thanks for that. I think it's these options that POM adds to IPTABLES. Certainly, I don't have CONFIG_IP_NF_MATCH_TIME in my config, nor can I find where to switch it on in menuconfig
how'd it go with this?? honestly, it didn't really sound like you needed the iptables time match, which is usually used in way more complex situations... IMHO setting an iptables script to run with crond at certain hours of the day might have been more than enough for you...
It turned out that my kernel was too old for the latest Patch-O-Matic. After looking around to find out which version of POM matches my kernel and coming up empty-handed , I tried to upgrade my kernel. This allowed the Time patch to be applied, but broke my USB cable modem and I haven't been able to fix it so it was back to the old one!
The cron approach might end up being the only one I can use - I was hoping to do something a little more elegant (and learn a bit for future use as well ) I could use some assistance with writing the scripts too.....
like, for example, in a corporate environment where you are dealing with all kinds of different departments, users, privilages, exceptions, variations, etc. and you need to be doing stuff like this *almost in real-time* 24 hours a day... in situations like that it would be more efficient to have time matches in your rules instead of re-configuring netfilter for every change... but for someone who just wants to set some limits as to what their kids can do after the sun goes down, well, it won't really make a difference wether you time match or cron it... in fact it won't even make a difference if you need to cron the re-configuration of netfilter several times a day, etc...
EDIT: actually, it will make a difference, as you can see with the patching you've done and your USB issue, hehe... it's just that it won't make a difference *to your kids*...
as for the assistance with the scripts, sure, no problem... just post your current script, explain what you are doing with it, tell us about your setup (network, interfaces, etc.) and how you'd like the script to behave differently after X:Xpm or what have you... we'll do our best to help you out...
BTW, having crond run commands for you at certain times is an easy thing to do... i think you will have fun learning how to use cron... i remember before i learnt cron it looked really weird and stuff but after i read a howto i liked it and realized it was very simple and now i use it all the time...
EDIT #2: of course there are advantages to using a time match also, so please don't interpret my post as meaning "the cron method is better than the time match method"... it all depends... in fact, i can think of some reasons why it would be better to use the time match instead of cron - even in a simple at-home situation like this...
i can help you with whatever method you choose, but since you are having issues patching your kernel for time match it seems like using cron at least for now isn't such a bad idea (it's better than nothing, hehe)...
sorry for sounding like my own devil's advocate... i need more coffee...
about your usb cable modem: are you sure you didn't need to apply some kinda third-party patch to get that working?? i'm just asking cuz i've always had an impression of usb cable modems being quite linux-unfriendly when it came to vanilla kernels... then again maybe times have changed... i'm still stuck on linux 2.4, hehe...
Most odd. The kernel that works is 2.6.8.1, the one that doesn't is 2.6.15.1.
The problem seems to be with the available options with menuconfig.
No patches were applied to either to get the modem working (I'm running LFS 6.0, so know exactly what patches were applied).
With the working config, in menuconfig, I have the following options (Device Drivers -->USB support section):-
Code:
<*> USB Modem (CDC ACM) support
...
<*> Multi-purpose USB Networking Framework
...
[*] CDC Ethernet support (smart devices such as cable modems)
These options just seem to be missing from the later kernel
Moving on...
I understand how to set up cron, I've already got some cron scripts running, it's the IPTABLES I'm struggling with.
Basically, setup is as follows:-
Internal network on 192.168.1.0 attached to eth0
Cable modem appearing as eth1
The kids don't (yet) know about bypassing the proxy (squid) so I don't have filters stopping direct traffic from their computers (192.168.1.100 & 101) to the 'net. So what I need to do is to only allow routing to/from their computers between, say 3:30 and 7:00.
Now, the IPTABLES script I do have (modified from BLFS) starts by clearing out the filters and then setting them ALL up from scratch. Do I need 2 full scripts, one which enables the routing and one which doesn't, then run the two scripts at 3:30 and 7:00 respectively, or can I simply modify the existing rules at those times?
<*> USB Modem (CDC ACM) support
<*> Multi-purpose USB Networking Framework
[*] CDC Ethernet support (smart devices such as cable modems)
These options just seem to be missing from the later kernel
actually, i just took a look at a 2.6.15.1 source package and i can see those options you've mentioned... they are here:
Code:
USB Support > Support for Host-Side USB >
USB Modem (CDC ACM) support
USB Support > USB Network Adapters > Multi-purpose USB Networking Framework >
CDC Ethernet support (smart devices such as cable modems)
also, i'd (of course) recommend using the *latest* stable version, which is 2.6.15.2 at the time of this post... i think it kocks-out some security issues and some other important stuff...
either way, i think you're gonna have your cable modem working now that you know the location of the options you need, so let me know how it goes and wether you still wanna cron a couple scripts or time-match with one script...
Cool, thanks for that... I am now running 2.6.15.1 ok (must be ok, coz I'm posting this with it )
Why oh why do they have to move these options around?
I'd prefer to go with the single, time-based script (easier to maintain if I add in any other little tweaks later). I'll have to have a look at the howtos and have a play, unless you can suggest the line(s) I need in my rc.iptables. I guess I want to set up a block for the addresses the kids use, outside the times they are allowed to play and put this fairly early in the script?
Ok, I'm not TOO bothered about the SQUID thing, it isn't in transparent mode (I don't want to force myself and their mother through SQUID, the settings, particularly for Dan's Guardian, are a little TOO restrictive!) the kids haven't worked out (yet) how to change their proxy settings......
The time-enabled kernel certainly seems to be running ok now, although I now need to recompile IPTABLES itself before I can test (it does need re-compiling, right? Do I need a re-boot afterwards?)
The kids machines are 192.168.1.100 & 192.168.1.101, so these are the addresses I want to restrict from direct access to the 'net. I want to deny access before 15:30 (weekdays) and 07:00 (weekends) and after 19:00 (all week).
My current IPTABLES script is:-
Code:
#!/bin/sh
# Begin $rc_base/rc.iptables
echo
echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.linuxfromscratch.org/blfs"
echo
# Insert iptables modules (not needed if built into the kernel).
#modprobe ip_tables
#modprobe iptable_filter
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
#modprobe ipt_state
#modprobe iptable_nat
#modprobe ip_nat_ftp
#modprobe ipt_MASQUERADE
#modprobe ipt_LOG
#modprobe ipt_REJECT
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN Cookie Protection
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Donšt send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -t nat -F
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -X
iptables -Z
# Allow local connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
I'm guessing I need a couple of DENY lines just before the current FORWARD lines which DENY packets from/to their machines at the the required times?
Also, as an aside, there is a line at the end (as you can see) which logs packets being forwarded. Where is this logged to? I can't find it!!!
Ok, I'm not TOO bothered about the SQUID thing, it isn't in transparent mode (I don't want to force myself and their mother through SQUID, the settings, particularly for Dan's Guardian, are a little TOO restrictive!) the kids haven't worked out (yet) how to change their proxy settings......
OK... but keep in mind that with iptables you can select which IPs you want to be "forced" to use DansGuardian and which you don't...
Quote:
The time-enabled kernel certainly seems to be running ok now, although I now need to recompile IPTABLES itself before I can test (it does need re-compiling, right? Do I need a re-boot afterwards?)
yeah, i think that since you added a new netfilter capability to your kernel, you probably need to recompile iptables... when you just recompile yourself a new kernel without any new netfilter features you don't need to recompile iptables, though... about the reboot, i'm not sure... i always reboot after upgrading iptables on my pc but it's mainly for psychological reasons... hehe...
Quote:
The kids machines are 192.168.1.100 & 192.168.1.101, so these are the addresses I want to restrict from direct access to the 'net. I want to deny access before 15:30 (weekdays) and 07:00 (weekends) and after 19:00 (all week).
OK...
Quote:
I'm guessing I need a couple of DENY lines just before the current FORWARD lines which DENY packets from/to their machines at the the required times?
isn't DENY from back in the ipchains days?? DENY is like DROP, right?? well, i don't think DROP is the best target in this case... i think REJECT is the best option cuz it will avoid having your kid's computers hang while they wait for a reply... by using REJECT they are sent a reply right away telling their computers that the connection has been denied...
Quote:
Also, as an aside, there is a line at the end (as you can see) which logs packets being forwarded. Where is this logged to? I can't find it!!!
check your /var/log/syslog file...
Quote:
My current IPTABLES script is:-
Code:
#!/bin/sh
# Begin $rc_base/rc.iptables
echo
echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.linuxfromscratch.org/blfs"
echo
# Insert iptables modules (not needed if built into the kernel).
#modprobe ip_tables
#modprobe iptable_filter
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
#modprobe ipt_state
#modprobe iptable_nat
#modprobe ip_nat_ftp
#modprobe ipt_MASQUERADE
#modprobe ipt_LOG
#modprobe ipt_REJECT
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN Cookie Protection
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Donšt send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -t nat -F
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -X
iptables -Z
# Allow local connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
i've taken the liberty of cleaning your script up a bit, before adding the time matches:
Code:
#!/bin/sh
IPT="/sbin/iptables"
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
echo 0 > /proc/sys/net/ipv4/tcp_ecn
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_ftp
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# DansGuardian:
$IPT -A INPUT -p TCP -i eth0 --dport 8080 \
-m state --state NEW -j ACCEPT
# Squid:
$IPT -A INPUT -p TCP -i eth0 --dport 3128 \
-m state --state NEW -j ACCEPT
# Dnsmasq:
$IPT -A INPUT -p UDP -i eth0 --dport 53 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-prefix "INPUT DROP: "
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i eth0 -s 192.168.1.100 -m time \
--timestart 19:00 -j REJECT
$IPT -A FORWARD -i eth0 -s 192.168.1.100 -m time \
--timestop 15:30 --days Mon,Tue,Wed,Thu,Fri -j REJECT
$IPT -A FORWARD -i eth0 -s 192.168.1.100 -m time \
--timestop 07:00 --days Sat,Sun -j REJECT
$IPT -A FORWARD -i eth0 -s 192.168.1.101 -m time \
--timestart 19:00 -j REJECT
$IPT -A FORWARD -i eth0 -s 192.168.1.101 -m time \
--timestop 15:30 --days Mon,Tue,Wed,Thu,Fri -j REJECT
$IPT -A FORWARD -i eth0 -s 192.168.1.101 -m time \
--timestop 07:00 --days Sat,Sun -j REJECT
$IPT -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-prefix "FORWARD DROP: "
$IPT -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
let me know if there's any problems with the rules...
i can't test them cuz my PC's kernel doesn't have the time match patch...
Ok, thanks for all that, I have re-compiled IPTABLES and rebooted, then I tried to issue a time-related command manually:-
Quote:
-A FORWARD -i eth0 -s 192.168.1.101 -m time \
--timestop 07:00 --days Sat,Sun -j REJECT
Result :-
Quote:
iptables v1.3.3: Couldn't load match `time':/lib/iptables/libipt_time.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
I had a look, and sure enough libipt_time.so is missing
So I did a make clean on IPTABLES - no-go.
If I look in the IPTABLES source directory tree (I'm at the limits of my knowledge here!) there is a file in the extensions directory called libipt_time.c and a second one called libipt_time.man, but the .so file is nowhere to be found. I also notice that all the other extensions have an additional file with a ".d" extension, but there is no libipt_time.d - is this significant? Finally, out of desperation, I watched a complete make of IPTABLES and didn't spot libipt_time being compiled... why not?????
So I still have kids sitting up all night playing games (unless I stop them!!)
Finally, I'm not sure I fully understand your modified file.. My server is running DNS, DHCP, httpd, squid, SAMBA, postfix, ssh and ftp as well as squid, dansguardian and havp. Do I need to worry about exceptions for all of these using your config?
You could just have a cron job that changes the iptables configuration by one rule. The cron job that allows access can run when they can start playing. The cron job that disallows access can run when they have to stop playing. Each cron job just adjusts one iptables rule. You can even have both jobs in one script to make it neat.
Here is an even simpler idea. Have one iptables setup script that is set up to allow games. Name that /etc/iptables-allow-script. Have another iptables setup script that denies games. Name that /etc/iptables-deny-script. These scripts are just the iptables commands to configure iptables. Then your cron job would just be one command. The command to run when they can start playing would just be iptables-restore < /etc/iptables-allow-script. The command to run when they have to stop playing would be iptables-restore < /etc/iptables-deny-script.
The cron job approach seems a lot easier to me than trying to get iptables to change it's behavior based on the time of day.
Last edited by stress_junkie; 02-07-2006 at 03:03 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
, I tried to upgrade my kernel. This allowed the Time patch to be applied, but broke my USB cable modem and I haven't been able to fix it 
so it was back to the old one!
) I could use some assistance with writing the scripts too.....
and have a play, unless you can suggest the line(s) I need in my rc.iptables. I guess I want to set up a block for the addresses the kids use, outside the times they are allowed to play and put this fairly early in the script?
