On Fri 05 Aug 2016 at 15:49:28 +0000, Mark Fletcher wrote:
> On Fri, Aug 5, 2016 at 11:04 PM Brian <ad44@cityscape.co.uk> wrote:
>
> > Sticking with the idea of using a systemd service file, the script it
> > runs would check the time and alter the routing table when necessary.
> > Neither cron nor iptables need come into the picture.
> >
> Thanks Brian. My thinking was that although this machine won't be on all
> the time, it will be started and stopped at unpredictable times. I wanted
> to have a situation where if it is brought up during allowed hours, the
> internet works. If it is brought up during not-allowed hours, it doesn't,
> until 9am arrives, at which point it starts working. So if my son gets out
> of bed at 3am and fires up the computer, he gets nowhere (at least until he
> figures out how to hack into my own machine and run an ssh session with X
> forwarding... but if he figures that out without my help I'm almost
> inclined to reward him by turning a blind eye :-) )
>
> Similarly, if he is surfing away on it at 9pm, well by then he is supposed
> to be at least in the bath if not in bed, so the computer's internet
> connection sets an example by going to sleep...
>
> If he leaves it on, I want it to connect and disconnect automatically at
> the appropriate times, and if he doesn't, I want it to come up in the right
> state. If I leave a hole in this that can be exploited without strong
> technical skills, I'm confident he'll find it...
Without the root password or sudo he should be unable to influence the
routing. The machine will always come up with a route to the internet
because you are using DHCP. But that shouldn't last for more thn thirty
seconds if we can get systemd to do its stuff.
We'll forget about a fixed IP. DHCP gets you an address and a default
route when it boots. Check the latter with 'ip route'. You want a
default route to the internet between 9am and 9pm but not otherwise.
Consider this script
  #!/bin/bash
  while :
  do
  HOUR=$(date +%H)
  if ((9 <= $HOUR && $HOUR <= 21)); then
     echo "Help with the washingup, tidy your room, make yourself useful."
  else
     echo "Have a bath. Go to bed."
  fi
  sleep 30
  done
The first echo line would be replaced with
  ip route add default via <gateway IP> dev <interface>
You need this in the event the machine is left on overnight and the
second echo line
  ip route del default via <gateway IP> dev <interface>
is in force.
The script would go in /user/local/bin and be run by a systemd service
file with its Exec directive. You should run the script first and check
that it does do what you want. Altering the "9" and the "21" will help.
You probably want a "one-shot" service file. You're ok with devising
that?
> I could give the box a fixed IP but I have always used DHCP on my local
> network and don't want to disturb my habits more than necessary for this.
It wasn't a important suggested change.
> Also this would get rid of the need for DHCP but wouldn't get rid of NTP
> calls, and then I'd get them vomiting all over the logs when they fail to
> connect. Not a big problem, certainly, but an elegant solution would avoid
> it.
Have the script stop and start the NTP service. Elegant enough?
> I didn't mention earlier, and I'm not sure if it is relevant, but the
> computer connects via WiFi to my access point, which is also my network's
> internet gateway -- with an LFS box between it and the cable modem as a
> dedicated firewall. I don't trust the non-free firewall in the AP, although
WiFi or cable shouldn't be a concern. Both set up routing in the same way.
> I have left it on. The rest of my network is not to be subject to this 9pm
> curfew. And I would ideally like connectivity between this machine and the
> rest of my local network to remain even when the internet is denied to this
> machine, so I can do remote maintenance when he's not using the machine,
> for example. If I monkey around with the default routing as you are
> suggesting, does that have any negative implications for connectivity to
> the rest of my local network?
It shouldn't do because you will only be adjusting the route to get off
your network. But that's where testing comes in.
                                Finally, I am afraid I did not understand the
> point you made about how cron can be avoided. If the machine's up when 9pm
> arrives, I want internet connectivity to die so I can prise him off the
> computer and get him to bed. In your idea, how can I make that happen
> without a cron job?
The script run by systemd takes care of what happens at a particular
time. A cron-only solution is possible but I think the systemd way seems
more flexible because the script can be adjusted.
You are after an all-or-nothing solution and iptables is intended for
more finely-grained routing issues. It would probably do the job but
there is more work involved and it's a bugger to debug if the rules are
not quite right.
Thanks for this Brian.