qprfact
January 4th, 2010, 08:07 AM
I have a small home network and an ISP that has download limits in business hours. Not an issue for me, as I am at work, but when kids come in they will go on internet! I want to restrict internet usage to IM only until 6pm when they can then look at sites too.
I have assigned static IPs and have set up iptables, but they are not stopping browsing. I don't know if this is down to the iptables, or perhaps the individual PC config.
This is what I have in resolv.conf for the PC most likely to use internet:
nameserver 208.67.222.222
nameserver 208.67.220.220
(Open DNS)
and this is in network/interfaces:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
#iface eth0 inet dhcp
#now static
address 192.168.2.4
netmask 255.255.255.0
network 192.168.1.1
broadcast 192.168.0.255
gateway 192.168.2.5
#auto eth1
#iface eth1 inet dhcp
#auto eth2
#iface eth2 inet dhcp
#auto ath0
#iface ath0 inet dhcp
#auto wlan0
#iface wlan0 inet static
ifconfig reads:
eth0 Link encap:Ethernet HWaddr 00:18:8b:77:32:bf
inet addr:192.168.2.4 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::218:8bff:fe77:32bf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4302693 errors:0 dropped:0 overruns:0 frame:0
TX packets:3855196 errors:0 dropped:0 overruns:0 carrier:0
collisions:1487171 txqueuelen:1000
RX bytes:3547798956 (3.5 GB) TX bytes:712400850 (712.4 MB)
Interrupt:19
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1234 errors:0 dropped:0 overruns:0 frame:0
TX packets:1234 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:169502 (169.5 KB) TX bytes:169502 (169.5 KB)
and the "restricted" iptables rules are:
# Amended version for daytime (peak) use
*nat
:PREROUTING ACCEPT [6:334]
:POSTROUTING ACCEPT [43:6498]
:OUTPUT ACCEPT [38:6234]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Dec 30 17:09:31 2009
# Generated by iptables-save v1.4.4 on Wed Dec 30 17:09:31 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [18:1381]
:OUTPUT ACCEPT [315:51848]
# Always on access for server
-A INPUT -s 192.168.2.5/32 -j ACCEPT
# Always on access for MacBook
-A INPUT -s 192.168.2.3/32 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -j ACCEPT
# Loopback
-A INPUT -i lo -j ACCEPT
# DNS
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# MSN on Pidgin
-A INPUT -p tcp -m tcp --dport 1863 -j ACCEPT
# Logging
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# HTTP
#-A INPUT -p tcp -m tcp --dport 80 -m comment --comment "http apache" -j ACCEPT
# HTTPS
#-A INPUT -p tcp -m tcp --dport 443 -m comment --comment "https apache" -j ACCEPT
# Established sessions
#-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Samba access
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 139,145 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
# VNC
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 5900,5901 -j ACCEPT
# Webmin
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# Drop all else
-A INPUT -j DROP
COMMIT
# Completed on Wed Dec 30 17:09:31 2009
iptables -L on the computer in question (NOT the server) reads:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and the one on the server says:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- ubuntu.local anywhere
ACCEPT all -- 4.local anywhere
ACCEPT all -- 4.local anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:msnp
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
ACCEPT tcp -- anywhere anywhere tcp dpt:www /* http apache */
ACCEPT tcp -- anywhere anywhere tcp dpt:https /* https apache */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.2.0/24 anywhere multiport dports netbios-ssn,145
ACCEPT udp -- 192.168.2.0/24 anywhere multiport dports netbios-ns,netbios-dgm
ACCEPT tcp -- 192.168.2.0/24 anywhere multiport dports 5900,5901
ACCEPT tcp -- anywhere anywhere tcp dpt:webmin
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Can anyone see what basic step I have omitted?
Thanks!
I have assigned static IPs and have set up iptables, but they are not stopping browsing. I don't know if this is down to the iptables, or perhaps the individual PC config.
This is what I have in resolv.conf for the PC most likely to use internet:
nameserver 208.67.222.222
nameserver 208.67.220.220
(Open DNS)
and this is in network/interfaces:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
#iface eth0 inet dhcp
#now static
address 192.168.2.4
netmask 255.255.255.0
network 192.168.1.1
broadcast 192.168.0.255
gateway 192.168.2.5
#auto eth1
#iface eth1 inet dhcp
#auto eth2
#iface eth2 inet dhcp
#auto ath0
#iface ath0 inet dhcp
#auto wlan0
#iface wlan0 inet static
ifconfig reads:
eth0 Link encap:Ethernet HWaddr 00:18:8b:77:32:bf
inet addr:192.168.2.4 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::218:8bff:fe77:32bf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4302693 errors:0 dropped:0 overruns:0 frame:0
TX packets:3855196 errors:0 dropped:0 overruns:0 carrier:0
collisions:1487171 txqueuelen:1000
RX bytes:3547798956 (3.5 GB) TX bytes:712400850 (712.4 MB)
Interrupt:19
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1234 errors:0 dropped:0 overruns:0 frame:0
TX packets:1234 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:169502 (169.5 KB) TX bytes:169502 (169.5 KB)
and the "restricted" iptables rules are:
# Amended version for daytime (peak) use
*nat
:PREROUTING ACCEPT [6:334]
:POSTROUTING ACCEPT [43:6498]
:OUTPUT ACCEPT [38:6234]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Dec 30 17:09:31 2009
# Generated by iptables-save v1.4.4 on Wed Dec 30 17:09:31 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [18:1381]
:OUTPUT ACCEPT [315:51848]
# Always on access for server
-A INPUT -s 192.168.2.5/32 -j ACCEPT
# Always on access for MacBook
-A INPUT -s 192.168.2.3/32 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -j ACCEPT
# Loopback
-A INPUT -i lo -j ACCEPT
# DNS
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# MSN on Pidgin
-A INPUT -p tcp -m tcp --dport 1863 -j ACCEPT
# Logging
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# HTTP
#-A INPUT -p tcp -m tcp --dport 80 -m comment --comment "http apache" -j ACCEPT
# HTTPS
#-A INPUT -p tcp -m tcp --dport 443 -m comment --comment "https apache" -j ACCEPT
# Established sessions
#-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Samba access
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 139,145 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
# VNC
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 5900,5901 -j ACCEPT
# Webmin
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# Drop all else
-A INPUT -j DROP
COMMIT
# Completed on Wed Dec 30 17:09:31 2009
iptables -L on the computer in question (NOT the server) reads:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and the one on the server says:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- ubuntu.local anywhere
ACCEPT all -- 4.local anywhere
ACCEPT all -- 4.local anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:msnp
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
ACCEPT tcp -- anywhere anywhere tcp dpt:www /* http apache */
ACCEPT tcp -- anywhere anywhere tcp dpt:https /* https apache */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.2.0/24 anywhere multiport dports netbios-ssn,145
ACCEPT udp -- 192.168.2.0/24 anywhere multiport dports netbios-ns,netbios-dgm
ACCEPT tcp -- 192.168.2.0/24 anywhere multiport dports 5900,5901
ACCEPT tcp -- anywhere anywhere tcp dpt:webmin
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Can anyone see what basic step I have omitted?
Thanks!