How to update iptables to restrict LAN computer Internet?

I have a linux question please.

Hardware and setup:
Fedora Core 3 OS
PIII 800Mhz
Ti4600 Video Card
1.5Gb SDRAM
80Gb Hard disk
2 NIC; ADSL modem to eth0, eth1 to hub for LAN
Modem is bridged, PPPoE maintains ADSL connection
Firestarter firewall provides ipmasquerading for Internet
samba provides shares from linux box
Acts as a gateway to Internet

3 MS XP Pro machines on hub using file sharing and they get their
Internet from the linux gateway machine

One of the XP machines is used by a young teenager and I would like to
restrict Internet activity on this machine to certain hours, or else the
17 year old girl will be running 4-6 yahoo chat sessions all night long.
This causes problems because no one would be up to supervise this
activity and already the young lady has been caught on the phone talking
to some of these "cute" strangers and lied about it. Not good, this
machine needs Internet for certain hours of the day only.

I can use Firestarter firewall (I use this GUI program in X windows
because it is easy to setup and run, and it does provide IP masquerading
for all the LAN machines.) to add the kid's machine as 192.168.0.5 and
block Internet for the computer. I do not run the linux
server/firewall/gateway in run level 5, I run it at run level 3 most all
of the time. iptables is a very complicated subject to master and being
the only breadwinner for the household, I do not have the time to learn
iptables enough to do what I want.

What I need are 2 simple iptables commands that I can tell cron to run at
certain times to start and stop ipmasquerading for this machine only
(192.168.0.5). One command will append to the current iptables rules to
stop Internet from going to and from the machine and another command will
remove that rule only and return the iptables rules to their original
masquerading state. Then I can add them as cron jobs to automate this
process so that when 11:00 PM comes along, the child's Internet
connection will stop, regardless if anyone is here to do it and at 6:00
AM, cron will run the other command to allow Internet again to the LAN
machine.

Could someone please help with this problem an offer some suggestions of
commands that will work? This is pretty important because the alternative
is to take away the kid's computer and then she will have nothing for
school work or anything else.

Thanks.

--
~Ohmster
"Read Ohmster" in subject, bypass spam filter.
ohmster /a/t/ newsguy dot com

On 2006-06-21, Ohmster <(E-Mail Removed)> wrote:
> I have a linux question please.
>
> Hardware and setup:
> Fedora Core 3 OS
> PIII 800Mhz
> Ti4600 Video Card
> 1.5Gb SDRAM
> 80Gb Hard disk
> 2 NIC; ADSL modem to eth0, eth1 to hub for LAN
> Modem is bridged, PPPoE maintains ADSL connection
> Firestarter firewall provides ipmasquerading for Internet
> samba provides shares from linux box
> Acts as a gateway to Internet
>
> 3 MS XP Pro machines on hub using file sharing and they get their
> Internet from the linux gateway machine
>
> One of the XP machines is used by a young teenager and I would like to
> restrict Internet activity on this machine to certain hours, or else the
> 17 year old girl will be running 4-6 yahoo chat sessions all night long.
> This causes problems because no one would be up to supervise this
> activity and already the young lady has been caught on the phone talking
> to some of these "cute" strangers and lied about it. Not good, this
> machine needs Internet for certain hours of the day only.
>
> I can use Firestarter firewall (I use this GUI program in X windows
> because it is easy to setup and run, and it does provide IP masquerading
> for all the LAN machines.) to add the kid's machine as 192.168.0.5 and
> block Internet for the computer. I do not run the linux
> server/firewall/gateway in run level 5, I run it at run level 3 most all
> of the time. iptables is a very complicated subject to master and being
> the only breadwinner for the household, I do not have the time to learn
> iptables enough to do what I want.
>
> What I need are 2 simple iptables commands that I can tell cron to run at
> certain times to start and stop ipmasquerading for this machine only
> (192.168.0.5). One command will append to the current iptables rules to
> stop Internet from going to and from the machine and another command will
> remove that rule only and return the iptables rules to their original
> masquerading state. Then I can add them as cron jobs to automate this
> process so that when 11:00 PM comes along, the child's Internet
> connection will stop, regardless if anyone is here to do it and at 6:00
> AM, cron will run the other command to allow Internet again to the LAN
> machine.
>
> Could someone please help with this problem an offer some suggestions of
> commands that will work? This is pretty important because the alternative
> is to take away the kid's computer and then she will have nothing for
> school work or anything else.

[Not an answer to the question, but:]

Haven't you overlooked some other alternatives, like removing the network
card or configuring the firewall to block all traffic from her computer,
and telling her she'll have to transport her data back and forth from
school via disks instead of using the internet?


--

Jim Cochrane <allergic-to-(E-Mail Removed)> wrote in
news:slrne9jsn1.e9e.allergic-to-(E-Mail Removed):

> [Not an answer to the question, but:]
>
> Haven't you overlooked some other alternatives, like removing the
network
> card or configuring the firewall to block all traffic from her
computer,
> and telling her she'll have to transport her data back and forth from
> school via disks instead of using the internet?

If I remove the network card, then the computer will have no Internet or
LAN access at all. Not what I had in mind. Yes, I do want to configure
the firewall to block Internet from her computer, but not permanently. I
want to restrict access to the Internet from that computer to certain
hours of the day, such as, no Internet during the day when she has chores
to do. No Internet late at night when the scum comes out on the net to
prey on young girls. I can configure firestarter to block Internet to her
computer, it is a GUI front end for iptables. It does not, however, have
scheduling available. I do not run the computer in run level 5 (X
windows), I prefer run level 3 (Command prompt with networking.). She
does not transfer data back and forth to school, she uses the Internet to
look up stuff for school, general learning, and play. Unfortunately, most
of that "play" is being an young, pretty girl on the Internet with a
picture. Now she has the attention of scads of "young" men, all vying for
her attention, she feels like the queen of the world with all of this
attention, and you and I both know that this is not for real, most of
these "boys" are actually many decade old men, trying to lure young
girls.

I need the proper switches and syntax to use with the iptables command to
restrict ipmasqurading to her computer via her local IP address
(192.168.0.5) and another iptables command with the proper syntax and
switches to remove that rule and return the iptables the way it was
before adding the restriction commands. I want to do this with an CLI
command, rather than a GUI program, so that I can pass off the scheduling
to cron.

Thanks for the reply.
--
~Ohmster
"Read Ohmster" in subject, bypass spam filter.
ohmster /a/t/ newsguy dot com

Ohmster <(E-Mail Removed)> wrote in
news:Xns97E9BFE926D53MyBigKitty@216.77.188.18:

> I have a linux question please.
>
> Hardware and setup:
> Fedora Core 3 OS
> PIII 800Mhz
> Ti4600 Video Card
> 1.5Gb SDRAM
> 80Gb Hard disk
> 2 NIC; ADSL modem to eth0, eth1 to hub for LAN
> Modem is bridged, PPPoE maintains ADSL connection
> Firestarter firewall provides ipmasquerading for Internet
> samba provides shares from linux box
> Acts as a gateway to Internet
>
> 3 MS XP Pro machines on hub using file sharing and they get their
> Internet from the linux gateway machine
>
> One of the XP machines is used by a young teenager and I would like to
> restrict Internet activity on this machine to certain hours, or else the
> 17 year old girl will be running 4-6 yahoo chat sessions all night long.
> This causes problems because no one would be up to supervise this
> activity and already the young lady has been caught on the phone talking
> to some of these "cute" strangers and lied about it. Not good, this
> machine needs Internet for certain hours of the day only.
>
> I can use Firestarter firewall (I use this GUI program in X windows
> because it is easy to setup and run, and it does provide IP masquerading
> for all the LAN machines.) to add the kid's machine as 192.168.0.5 and
> block Internet for the computer. I do not run the linux
> server/firewall/gateway in run level 5, I run it at run level 3 most all
> of the time. iptables is a very complicated subject to master and being
> the only breadwinner for the household, I do not have the time to learn
> iptables enough to do what I want.
>
> What I need are 2 simple iptables commands that I can tell cron to run at
> certain times to start and stop ipmasquerading for this machine only
> (192.168.0.5). One command will append to the current iptables rules to
> stop Internet from going to and from the machine and another command will
> remove that rule only and return the iptables rules to their original
> masquerading state. Then I can add them as cron jobs to automate this
> process so that when 11:00 PM comes along, the child's Internet
> connection will stop, regardless if anyone is here to do it and at 6:00
> AM, cron will run the other command to allow Internet again to the LAN
> machine.
>
> Could someone please help with this problem an offer some suggestions of
> commands that will work? This is pretty important because the alternative
> is to take away the kid's computer and then she will have nothing for
> school work or anything else.
>
> Thanks.
>

In the FORWARD chain you would insert something like:

iptables -I FORWARD 1 -s x.x.x.x -j DROP

This inserts the rule as the first entry in the FORWARD chain and will drop
anything sourced from x.x.x.x. Note the the Masquerade Nat occurs after the
FORWARD chain is processed, so x.x.x.x is the real source address
192.168.0.5.

To delete the rule when you want to allow the access to proceed you could
do:

iptables -D FORWARD 1

This is a little dangerous if the rules were changed around for some reason
in between time. It might be safer to delete the rule this way:

iptables -D FORWARD -s x.x.x.x -j DROP

This will find an delete the matching rule no matter where it is in the
chain.

Klazmon.

"Ohmster" <(E-Mail Removed)> wrote in message
news:Xns97E9E865D3E26MyBigKitty@216.77.188.18...

> No Internet late at night when the scum comes out on the net to
> prey on young girls.

Man, you are REALLY out-of-touch with reality if you think that such scum
limit their Internet activities to "late at night" hours.

I suppose if you kept chickens, you'd run 'em in the same pen during the day
but separate 'em at night to prevent fertile eggs, too?

"GDunn" <(E-Mail Removed)> wrote in news:(E-Mail Removed):

> Man, you are REALLY out-of-touch with reality if you think that such
> scum limit their Internet activities to "late at night" hours.
>
> I suppose if you kept chickens, you'd run 'em in the same pen during
> the day but separate 'em at night to prevent fertile eggs, too?

This is not really helpful, I simply have a linux networking question about
how to turn off IP masquerading to a particular computer on a LAN via it's
IP address and turn it back on again. That is it. A networking question to
a networking newsgroup.

Cheers,
--
~Ohmster
"Read Ohmster" in subject, bypass spam filter.
ohmster /a/t/ newsguy dot com

Llanzlan Klazmon <(E-Mail Removed)> wrote in
news:Xns97EA98699E8AFKlazmonllurdiaxorbgo@203.97.3 7.6:

> In the FORWARD chain you would insert something like:
>
> iptables -I FORWARD 1 -s x.x.x.x -j DROP
>
> This inserts the rule as the first entry in the FORWARD chain and will
> drop anything sourced from x.x.x.x. Note the the Masquerade Nat occurs
> after the FORWARD chain is processed, so x.x.x.x is the real source
> address 192.168.0.5.
>
> To delete the rule when you want to allow the access to proceed you
> could do:
>
> iptables -D FORWARD 1
>
> This is a little dangerous if the rules were changed around for some
> reason in between time. It might be safer to delete the rule this way:
>
> iptables -D FORWARD -s x.x.x.x -j DROP
>
> This will find an delete the matching rule no matter where it is in
> the chain.
>
> Klazmon.

Klazmon,

Oh dude, that worked so freaking well. My oh my, just what I needed.

[root@ohmster ~]# iptables -I FORWARD 1 -s 192.168.0.2 -j DROP
[root@ohmster ~]# iptables -D FORWARD -s 192.168.0.2 -j DROP
[root@ohmster ~]#

When I did the first command, the browser on that machine would not work
anymore, could not find the internet address. I left the browser and then
executed the 2nd command and as soon as I hit the enter button, the web
page popped right up.

So freaking cook, one thousand and one thank yous my friend!

Cheers,
--
~Ohmster
"Read Ohmster" in subject, bypass spam filter.
ohmster /a/t/ newsguy dot com

In news:Xns97E9BFE926D53MyBigKitty@216.77.188.18,
Ohmster <(E-Mail Removed)> wrote:

> One of the XP machines is used by a young teenager and I would like to
> restrict Internet activity on this machine to certain hours, or else the
> 17 year old girl will be running 4-6 yahoo chat sessions all night long.
....
> iptables is a very complicated subject to master and being
> the only breadwinner for the household, I do not have the time to learn
> iptables enough to do what I want.
>
> What I need are 2 simple iptables commands that I can tell cron to run at
> certain times to start and stop ipmasquerading for this machine only
> (192.168.0.5). One command will append to the current iptables rules to
> stop Internet from going to and from the machine and another command will
> remove that rule only and return the iptables rules to their original
> masquerading state. Then I can add them as cron jobs to automate this
> process so that when 11:00 PM comes along, the child's Internet
> connection will stop, regardless if anyone is here to do it and at 6:00
> AM, cron will run the other command to allow Internet again to the LAN
> machine.
>
> Could someone please help with this problem an offer some suggestions of
> commands that will work?

To achieve results immediately while learning the necessary iptables syntax,
simply disable the IP forwarding mechanism via cron (but of course that will
apply to all other machines on your network except for the router itself).
Just
copy and paste this into root's crontab:

0 23 * * * echo 0 > /proc/sys/net/ipv4/ip_forward
0 6 * * * echo 1 > /proc/sys/net/ipv4/ip_forward

On 2006-06-22, Ohmster <(E-Mail Removed)> wrote:
> Jim Cochrane <allergic-to-(E-Mail Removed)> wrote in
> news:slrne9jsn1.e9e.allergic-to-(E-Mail Removed):
>
>> [Not an answer to the question, but:]
>>
>> Haven't you overlooked some other alternatives, like removing the
> network
>> card or configuring the firewall to block all traffic from her
> computer,
>> and telling her she'll have to transport her data back and forth from
>> school via disks instead of using the internet?
>
> If I remove the network card, then the computer will have no Internet or
> LAN access at all. Not what I had in mind. Yes, I do want to configure
> the firewall to block Internet from her computer, but not permanently. I
> want to restrict access to the Internet from that computer to certain
> hours of the day, such as, no Internet during the day when she has chores
> to do. No Internet late at night when the scum comes out on the net to
> prey on young girls. I can configure firestarter to block Internet to her
> computer, it is a GUI front end for iptables. It does not, however, have
> scheduling available. I do not run the computer in run level 5 (X
> windows), I prefer run level 3 (Command prompt with networking.). She
> does not transfer data back and forth to school, she uses the Internet to
> look up stuff for school, general learning, and play. Unfortunately, most
> of that "play" is being an young, pretty girl on the Internet with a
> picture. Now she has the attention of scads of "young" men, all vying for
> her attention, she feels like the queen of the world with all of this
> attention, and you and I both know that this is not for real, most of
> these "boys" are actually many decade old men, trying to lure young
> girls.
>
> I need the proper switches and syntax to use with the iptables command to
> restrict ipmasqurading to her computer via her local IP address
> (192.168.0.5) and another iptables command with the proper syntax and
> switches to remove that rule and return the iptables the way it was
> before adding the restriction commands. I want to do this with an CLI
> command, rather than a GUI program, so that I can pass off the scheduling
> to cron.

Well, I meant my suggestion as an alternative to the one you proposed, if
you could not find an answer to your question, of taking her computer alway
altogether (although, figuratively, taking away internet access may be
effectively the same thing for her). But my suggestion, I suppose, was not
very helpful, since it's not hard to do what you're asking, and I see that
someone has provided the iptables settings you asked for.

cron is, of course, the tool to use to turn her access on and off at the
desired times and it sounds like you know how to use it.

I think there's another needed component to solve your basic problem,
however, and I suspect you realize this and are working on it - that is,
the internet vampires you're talking about also come out in the day
time, and she needs to learn to pay attention, and not trust anyone
she doesn't know well - that not everyone is who they appear to be,
especially on the internet.


--

Ohmster <(E-Mail Removed)> wrote in
news:Xns97E9ED6B08CFBMyBigKitty@216.77.188.18:

> Llanzlan Klazmon <(E-Mail Removed)> wrote in
> news:Xns97EA98699E8AFKlazmonllurdiaxorbgo@203.97.3 7.6:
>
>> In the FORWARD chain you would insert something like:
>>
>> iptables -I FORWARD 1 -s x.x.x.x -j DROP
>>
>> This inserts the rule as the first entry in the FORWARD chain and will
>> drop anything sourced from x.x.x.x. Note the the Masquerade Nat occurs
>> after the FORWARD chain is processed, so x.x.x.x is the real source
>> address 192.168.0.5.
>>
>> To delete the rule when you want to allow the access to proceed you
>> could do:
>>
>> iptables -D FORWARD 1
>>
>> This is a little dangerous if the rules were changed around for some
>> reason in between time. It might be safer to delete the rule this way:
>>
>> iptables -D FORWARD -s x.x.x.x -j DROP
>>
>> This will find an delete the matching rule no matter where it is in
>> the chain.
>>
>> Klazmon.
>
> Klazmon,
>
> Oh dude, that worked so freaking well. My oh my, just what I needed.
>
> [root@ohmster ~]# iptables -I FORWARD 1 -s 192.168.0.2 -j DROP
> [root@ohmster ~]# iptables -D FORWARD -s 192.168.0.2 -j DROP
> [root@ohmster ~]#
>
> When I did the first command, the browser on that machine would not work
> anymore, could not find the internet address. I left the browser and then
> executed the 2nd command and as soon as I hit the enter button, the web
> page popped right up.
>
> So freaking cook, one thousand and one thank yous my friend!
>
> Cheers,

Well glad to help. Just be aware that it isn't foolproof. If your teenager
is savy enough to change the IP address to one of the others that is
allowed through, she could bypass the -j DROP. Of course the other PC that
she was stealing the address from would have to be changed as well (or
powered off) so as not to conflict.

Klazmon.