Newbie on iptables; want to deny access to 192.168.0.5

As our kids are now back to school, I would like to restrict their
computer access to the net. How to set cron jobs, I know. However, how
to change the iptables script to restrict, I don't...

We have a 192.168.0.3(on internal) firewall. The kids computer is
192.168.0.5, ours is 192.168.0.6. The present iptables script on
192.168.0.3 is below. These rules would be used, say, at night, between
8PM and 9:15PM. Then I would like to shut access to 192.168.0.3 but keep
it available to 192.168.0.6. What can I change or add? Help would be
very appreciated...

The present script is run in /etc/rc.local. I would keep, I think, lines
2-3 and 9 to 14. Then the rest would be put in two other separate
scripts, say "iptables_access_everyone" and "iptables_access_restricted"
which would toggle back and forth using cron.

Many thanks for suggestions.

Gaetan

1 #!/bin/sh
2 INSMOD=/sbin/insmod
3 IPTABLES=/sbin/iptables
4 dev_extern="ppp0"
5 dev_intern="eth1"
7 addr_int=192.168.0.3
8 net_int=192.168.0.0/24
9 $INSMOD ip_tables
10 $INSMOD ip_conntrack
11 $INSMOD ip_conntrack_ftp
12 $INSMOD ipt_state
13 $INSMOD iptable_nat
14 $INSMOD ipt_MASQUERADE
15 $IPTABLES -F
16 $IPTABLES -N BLOCK
17 $IPTABLES -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
18 $IPTABLES -A BLOCK -m state --state NEW -i ! $dev_extern -j ACCEPT
19 #$IPTABLES -A BLOCK -p tcp --dport 80 -j ACCEPT
20 $IPTABLES -A BLOCK -j DROP
21 $IPTABLES -A INPUT -j BLOCK
22 $IPTABLES -A FORWARD -j BLOCK
23 $IPTABLES -A POSTROUTING -t nat -o $dev_extern -j MASQUERADE -s net_int
24 echo 1 > /proc/sys/net/ipv4/ip_forward

On Sat, 28 Aug 2004 11:51:52 -0400, Gaétan Martineau wrote:

> As our kids are now back to school, I would like to restrict their
> computer access to the net. How to set cron jobs, I know. However, how
> to change the iptables script to restrict, I don't...
>
> We have a 192.168.0.3(on internal) firewall. The kids computer is
> 192.168.0.5, ours is 192.168.0.6. The present iptables script on
> 192.168.0.3 is below. These rules would be used, say, at night, between
> 8PM and 9:15PM. Then I would like to shut access to 192.168.0.3 but keep
> it available to 192.168.0.6. What can I change or add? Help would be
> very appreciated...
I assume 192.168.0.5 has access to 192.168.0.6 and 192.168.0.3 accepts all
packets from internal network, now you can write a script that adds a rule
to table that denies all packet from 192.168.0.5, and deletes that same
rule from table. And excute the deny script between time you don't want
them to use internet, and excute the delete script the time when you
permit them to the internet access with cron.

2nd way is that, you gateway(firewall) is set up the way that denies all
all from internal and allows only 192.168.0.5 and 6, then you only need to
write one script that deletes 192.168.0.5 access to the gateway, and
excute it with cron between say 8AM and 9:15PM everyday.


>
> The present script is run in /etc/rc.local. I would keep, I think, lines
> 2-3 and 9 to 14. Then the rest would be put in two other separate
> scripts, say "iptables_access_everyone" and "iptables_access_restricted"
> which would toggle back and forth using cron.
>
> Many thanks for suggestions.
>
> Gaetan
>
> 1 #!/bin/sh
> 2 INSMOD=/sbin/insmod
> 3 IPTABLES=/sbin/iptables
> 4 dev_extern="ppp0"
> 5 dev_intern="eth1"
> 7 addr_int=192.168.0.3
> 8 net_int=192.168.0.0/24
> 9 $INSMOD ip_tables
> 10 $INSMOD ip_conntrack
> 11 $INSMOD ip_conntrack_ftp
> 12 $INSMOD ipt_state
> 13 $INSMOD iptable_nat
> 14 $INSMOD ipt_MASQUERADE
> 15 $IPTABLES -F
iptable flushing
> 16 $IPTABLES -N BLOCK
creating newchain
> 17 $IPTABLES -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT 18
appending
> $IPTABLES -A BLOCK -m state --state NEW -i ! $dev_extern -j ACCEPT 19
append.. so on
> #$IPTABLES -A BLOCK -p tcp --dport 80 -j ACCEPT 20 $IPTABLES -A BLOCK -j
> DROP
> 21 $IPTABLES -A INPUT -j BLOCK
> 22 $IPTABLES -A FORWARD -j BLOCK
> 23 $IPTABLES -A POSTROUTING -t nat -o $dev_extern -j MASQUERADE -s
> net_int 24 echo 1 > /proc/sys/net/ipv4/ip_forward