Am Don, 2002-12-26 um 01.05 schrieb Ina&Frank: > Hi all, > > I am using iptables (2.4. kernel) and ppp dialup to connect through my > cablemodem (to be online only when I need it). > I have a smal network (7 PC's), some win98 some Debian-Linux, working > together and all able to connect to the internet. > So far, so good. > > My question is that I want to exclude some of the ip addresses (PC's) to > connet to the internet after, let say 21:00hrs each day. And when they > are connectet at that time, to cut them off. The other addresses my > still connect. > > Is there a way to tell iptables (for example) to exclude some addresses > for a period of time IIRC there is indeed a TIME option in iptables but i never used it. > or do I have to let cron bring down the firewall, > rewrite the config-file of iptables en restart the firewall again or do > I have more simple and more efficient methods to accomplish this. No need to completely drop your firewall or to rewrite your configs as you can "insert" and "delete" specific rules from the running system. One example: assuming eth0=LAN # list INPUT chain root@mhfw01:~ >iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- mhfw01 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- 0.0.0.0 anywhere in_eth0 all -- 192.168.5.0/24 anywhere in_eth1 all -- 192.168.1.0/24 anywhere in_adsl all -- !192.168.5.0/24 anywhere LOG all -- anywhere anywhere LOG level warning prefix `*INPUT* ' root@mhfw01:~ > # Now i drop a single IP in the running firewall by "inserting" a rule # into the INPUT chain: root@mhfw01:~ >iptables -I INPUT -i eth0 -s 192.168.5.16 -j DROP root@mhfw01:~ >iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination DROP all -- 192.168.5.16 anywhere ACCEPT all -- mhfw01 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- 0.0.0.0 anywhere in_eth0 all -- 192.168.5.0/24 anywhere in_eth1 all -- 192.168.1.0/24 anywhere in_adsl all -- !192.168.5.0/24 anywhere LOG all -- anywhere anywhere LOG level warning prefix `*INPUT* ' root@mhfw01:~ > As you can see the new rule has been inserted at the top of the input chain. To delete it just use the "-D" option: root@mhfw01:~ >iptables -D INPUT -i eth0 -s 192.168.5.16 -j DROP root@mhfw01:~ >iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- mhfw01 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- 0.0.0.0 anywhere in_eth0 all -- 192.168.5.0/24 anywhere in_eth1 all -- 192.168.1.0/24 anywhere in_adsl all -- !192.168.5.0/24 anywhere LOG all -- anywhere anywhere LOG level warning prefix `*INPUT* ' root@mhfw01:~ > It's that simple :) Of course you could setup a chain called "blocker" and configure all IPs you want to block from the internet in it and then insert a call to that chain into input or forward. This was just an example. You'll need a rule that checks for destination address != $local_address_range or you'll drop *any* access to your gateway. HTH -- Matthias Hentges Cologne / Germany [www.hentges.net] -> PGP welcome, HTML tolerated ICQ: 97 26 97 4 -> No files, no URL's My OS: Debian Woody: Geek by Nature, Linux by Choice
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil