Security :: IPTABLES - Restrict Internet Access Based On Time Of Day And MAC Address

Feb 6, 2010

I am trying to configure my Linux router to restrict Internet access for one computer on my LAN. It needs to be restrictive based on the time of day and the days of the week. I am using the MAC address of the computer to single out the one computer that needs to be blocked. However, this is my first attempt at making any rules with iptables, and I am not sure if I am doing this right. If some one can take a look at this I would greatly appreciate it. This is what I have done so far.

Here is my thinking. Create a new target. Check the MAC address, if it is NOT the offending computer return to the default chain. If it is the offending computer check that we are between the allowed hours and dates and ACCEPT. If we are not within the time/date range then drop the packet.


Here I am trying to route all packets regardless of the computer on the LAN into the blocked_access chain for checking.


Is it a good idea to route all traffic through the blocked_access chain? I do run other servers that are accessible from the Internet, so I am not sure how this setup will affect that. I also use shorewall on the router to setup iptables for me. How would I integrate this with shorewall?

I am using squid to block access when he is using the web browser. However, he is still able to play games(World of Warcraft) and the like.

I am using Debian sid, iptable(1.4.6), shorewall(4.4.6), kernel 2.6.32-trunk-686.

View 7 Replies


Ubuntu Security :: Restrict Internet Access For Kids?

Jul 28, 2011

I'm running Natty and have made two logins on the system. One for myself and family and one for the kids (teens 14-15yr) to play in without Internet access via Admin "Users and Groups". I have hidden the Internet software icons on their screen amongst others i don't want them to see on the menus. On our screen I use a Firefox addon called "Web Of Trust" that can be configured easily for the kids and another addon called 'Blocksite' that I can selectively use for them and myself etc.

I have found out that they have still been able to get on to the net somehow under their login. Will have to observe again!! In the users settings for the kids the tick box for 'Internet'and 'use modem' access is un-ticked so I presumed that would be enough! Not so!!

View 8 Replies View Related

General :: Iptables Restrict Ssh Session By Mac Address?

May 24, 2011

I'm in the process of restricting access to my Linux production box, where ssh access needs to be limited to only a few MAC addresses.I've followed the instructions outlined in this guide and ran the following two commands:

/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
/sbin/iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
root@xxxx:~/#: iptables --list


View 3 Replies View Related

Ubuntu Security :: Restrict Root Logons To The SSH Server To A Single Ip Address?

Feb 26, 2010

Is it possible to restrict root logons to the SSH server to just a single ip address (or maybe a range?) I have other users connecting to the server daily so restricting ALL access to a single ip i cannot do. I need root enabled (for my own reasons) but want to lock it down a bit more.

View 9 Replies View Related

Debian Configuration :: Apache Config - Restrict The Access To Local Web Server By IP Address?

Jul 29, 2010

I want to restrict the access to my local web server by IP address. Im in a LAN (192.168.200.xx) so i have this:


But when i try to connect from it says i don't have permission to access

View 1 Replies View Related

Security :: Restrict Access On Windows Network?

Feb 18, 2011

my team is working on network thier termial is windows and my server is linux centos we work on simple network with out domainmy user works on files on the server, can I deman ser name and passwork when they try to change to the shared files on the servernd can i monitor which user chaned a fileI have css developer and he is only allowed to create and modify css files can i do this ?

View 3 Replies View Related

Security :: Restrict A User To Access Particular Service?

Sep 24, 2010

I heard we can set security in /etc/hosts.allow and /etc/hosts.deny on user base also like something user@domain or something if so how can I restrict a user to access particular service by his/her user name in a particular host via /etc/hosts.allow or /etc/hosts.deny

View 3 Replies View Related

Security :: Restrict Access To Network To Only Dhcp Assigned Ip's?

Feb 28, 2011

I'm trying to tighten up my network a bit. I've given my dhcp server a list of static mac addresses and ip's for computers i know, and a very short range of dhcp addresses that are redirected to kittenwar.My dilemma is that if someone has my wireless network password, or an ethernet cable, they could set the ip address manually and gain can i deny them this pleasure?im running dhcpd3, and iptables on a debian/lenny intel 2.4 box. dd-wrt is running in a linksys wrt54g and is handling the wireless security

View 7 Replies View Related

Security :: Restrict Sftp Access And Changing Its Port?

Mar 17, 2010

I tried changing the sftpserver port but its not working, besides how can i restrict users from particular ips.Eg: users a can ssh from 192.168.*.*user b can sftp from 200.*.*

View 2 Replies View Related

Security :: Using Squid To Restrict Access During Certain Hours But Only To Certain Websites?

Jan 21, 2011

I have been trying to get Squid to work so that I can restrict access to a particular web site during certain hours every night. I can't seem to get it working, however. I am still able to access the site. The following are the relevant lines from my squid.conf file:

acl restricted-domain dstdomain "/etc/squid/denied_domains.acl"
acl test time 19:00-20:00
acl bedtime time 22:00-23:59


View 2 Replies View Related

Ubuntu Servers :: Configure To Restrict Internet Access?

Jan 2, 2010

I've been searched for the related topic, but i couldn't found any of them. Basically, i want to set up a server to restrict internet access for other computer (windows box), but allow internet connection for kaspersky to download its database. Here are some questions:

1. Do i need two network card at the server box?
2. There are 8 computers but only 2 are allowed all internet connection, 6 of the rest are not allowed, all windows box can accept connection to download database from kaspersky.
3. Is it Iptables the best, easiest way to configure?

View 4 Replies View Related

Ubuntu Security :: Use Address Not Ip In Iptables?

Jul 24, 2010

i need to open this address, is there a way to use address not ip in iptables?

View 7 Replies View Related

Fedora X86/64bit :: Create A Script To Show The Last Time Iptables Had Seen A Given IP Address?

Jun 20, 2009

i was trying to crate a script to show the last time iptables had seen a given IP address (contained in the ipt_recent kernel hook -- my user-defined table name is 'iplist'). The ipt_recent table yields the following information (IPv4 addresses masked for paranoid reasons):

Code: ttl: 114 last_seen: 9355600126 oldest_pkt: 1 9355600126 ttl: 109 last_seen: 10020040763 oldest_pkt: 1 10020040763 ttl: 111 last_seen: 8106864077 oldest_pkt: 3 8103790647, 8106530788, 8106864077 ttl: 109 last_seen: 9937861664 oldest_pkt: 1 9937861664 ttl: 115 last_seen: 8244867102 oldest_pkt: 1 8244867102

The attempted command used was:


cat /proc/net/ipt_recent/iplist | awk '{print ($1 ,system("date -d @" $5));}'

Such command yields the following (I'm willing to live with the trailing zero):


Wed Jun 20 05:48:46 EDT 2266 0


I presume the ipt_recent table uses the standard UNIX epoch timestamp. Am I using the date command syntax incorrectly, is this a 32-bit vs 64-bit break, or it is something else? Please note that I am using FC10, and I have double-checked my system clock settings (both BIOS and OS). The system has only been running during 2009 (no reboot yet).

View 2 Replies View Related

Security :: Blocking An Ip Address Range Within Iptables?

Mar 30, 2009

I am setting up a iptables firewall on one of our servers, and I would like to block a range of addresses from getting into the system. I am using a script that does a BLACKIN and BLACKOUT methodology for specific addresses. One example is the following:



What would be the correct syntax to use if I wanted to block an entire remote subnet from getting into the server?

View 4 Replies View Related

General :: Allow Access To Server From Only 1 IP Address Using Iptables?

Aug 3, 2011

I have a server located remotely that I'd like to protect by allowing access to only my IP address (on any port). Currently anyone can access the server using ssh, http, and any other services that my server is running. (The reason I need to protect it for now is that it's a test/development server and really only needs to be accessed by me.)

The downside of doing this is every time my desktop IP address changes (from where I access the remote server), I would need to update the iptables configuration. (This could be a hassle, but based on my limited knowledge it seems to be the best way to allow access from only myself.)

Could anyone share how to allow access to my server using iptables from only my IP address and on any port?

View 4 Replies View Related

Server :: Allow Wireless Clients Access To Network Based On Their MAC Address?

Jan 11, 2011

Using CentOS 5.5, FreeRADIUS 2.1.7.

Objective is simply to be able to allow wireless clients access to my network based on their MAC address (I have about 10 WAPs around the country which I need to be able to manage user access centrally). Not interested in LDAP or dishing out keys/certificates etc.

I have been trying to follow the guide here. Sounds like it's exactly what I need but I'm not sure about a few things.

1) For each of the conf files am I supposed to be replacing everything currently existing in the respective file with what is suggested?

2) "raddb/modules/file" does not exist, so I assume I should use "raddb/modules/files"?

3) If I uncomment the line:

under the "raddb/sites-available/default authorize{}" section, the radiusd startup gives me the following error:
/etc/raddb/sites-enabled/default[69]: Failed to find module "rewrite_calling_station_id".

If anyone familiar with FreeRADIUS 2 could answer these queries I might be on the right path

View 12 Replies View Related

Software :: Squid 3.0 Access List / Remove Redirect Statement From Iptables All Internet Access Is Blocked?

Jun 11, 2010

I have an old FC2 box running Squid version 2.5. It has been running since 2003 so I am in the process of replacing it. I have a new machine with FC11, iptables, and Squid 3.0 installed.

On the old machine I use iptables to intercept Port 80 traffic and send it to Squid. By default I block all internet access and allow only sites that are in an Allowed_Sites.txt file. Within Squid I also have statements to allow certain users to bypass Squid based on their IP address.

I have set up the same thing on the new box. I have iptables intercepting the Port 80 traffic and sending it to Squid. That is working because if I remove the redirect statement from iptables all internet access is blocked.

The problem I am having is that Squid is not blocking any websites. It acts like the ACL is set to http_access allow all. I have worked on this for several hours and am stumped.

These are my Squid rules:
acl allowed_sites url_regex "/etc/squid/Allowed_Sites.txt"
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443
http_access allow manager localhost
http_access deny manager
http_access allow Bypass_Users
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src
http_access allow allowed_sites
http_access allow our_networks
http_access deny all
icp_access deny all
htcp_access deny all
http_port transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname FC11.proxybox
icp_port 3130
coredump_dir /var/spool/squid

View 2 Replies View Related

Ubuntu Security :: Allow Internet Between Certain Hours Using Iptables?

Jan 6, 2011

I typed this into the command line:sudo iptables -A INPUT -p tcp --dport 80 -m time --timestart 12:00:00 --timestop 23:59:59 --days Sat, Sun -j ACCEPTI get this error:iptables v1.4.4: unknown option '--days'How do I do something similar above in which I allow the internet to start at 12 o clock on Saturdays and Sundays

View 4 Replies View Related

Ubuntu Security :: Can't Access The Email - Iptables

Mar 12, 2010

To get my Thunderbird email to work and to do FTP to my website I have to use TERMINAL and enter the following code in Root;

iptables -F

At one point weeks ago I got Gufw and I don't remember if that had any effect.

View 2 Replies View Related

Security :: IPtables Limit SSH From Local Network To Internet

Feb 24, 2010

I have a linux firewall. I want to limit a ssh connection number from local network to internet .

Example :
Internal pc ( start a ssh scan to the external (internet) host.

I want that iptables limit that host ( and block ssh connection from this host at 3 attempt.

View 2 Replies View Related

Networking :: IPtables - Allow PPTP Server To Access Internet

Jan 24, 2010

I'm running an own PPTP Server, but I can't get it to access the internet. All my PCs at home run in the net, the PPTP Server has local IP192.168.0.5 and remote IP The router to the internet is at, and the IP of eth0 on the machine where the pptpd runs is I want to be able to connect to the internet trough that VPN and access my local LAN servers (which works fine so far). I can ping internet and local IPs successfully, but can not access them with a browser, or connect to them in any other way. I have 'accepted' all in/output and forwards.

I am running a Squid proxy on the same machine, and if I do:
iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -s -p tcp --dport 80 --to-port 3128
I can access the internet through Squid, but of course Jabber/ICQ etc. Won't work then because it just refers port 80. But I want the PPTP Clients to connect to the internet directly, if I don't use that rule it's not possible to load any pages. But pinging works all the time. DNS is also working fine, but I can't even access webpages via IP directly. How can I allow the PPTP IPs to get direct access to the Internet with Iptables?

View 3 Replies View Related

Fedora Security :: Iptables Masquerade, Can Ping But No Http Access?

Dec 13, 2009

I've got two routers, and, which are joined by a Linux box with interfaces eth0 ( and ra0 ( I've got masquerading for ra0, and a route to on's router. I CAN ping hosts on from just fine, but I CANNOT access web pages.Strangely, If I enable masquerading on eth0, and add a route to router to, I can ping AND access web pages from is my current iptables



View 14 Replies View Related

Fedora Security :: Any Way To Block IP Address Access?

Jul 27, 2011

I recently set up a web server at home, using a non-standard port, due to my ISP blocking 80. I just checked my log files, and I see a TON of entries indicating that a file was not found "proxy-1.php", "proxyheader.php", etc. I do not have these files, not intend to have them as part of my website. I did a whois looking by IP address for several of these, and they all seem to come from an ISP in China. Is there a way to BLOCK any IP address outside the US (that is somewhat simple to do?)

View 5 Replies View Related

Security :: Iptables - Limit Access To Port 8443 On Server To 2 Specific IP Addresses

Dec 23, 2010

I'm trying to limit access to port 8443 on our server to 2 specific IP addresses. For some reason, access is still being allowed even though I drop all packets that aren't from the named IP addresses. The default policy is ACCEPT on the INPUT chain and this is how we want to keep it for various reasons I wont get into here. Here's the output from iptables -vnL


Note the actual IP we are using is masked here with Until I can get everything working properly, we're only allowing access from 1 IP instead of 2. We can add the other one once it all works right. I haven't worked with iptables very much. So I'm quite confused about why packets matching the DROP criteria are still being allowed.

View 10 Replies View Related

Security :: IPTABLES Port 8080 \ Still Cannot Access Through Ssh Nor Putty And It Doesn't Show Up When Netstat Either?

Jun 6, 2011

I'm trying to open port 8080 on my application server. I've included it in my iptables; however I still cannot access through ssh nor putty and it doesn't show up when I netstat either.Here is my iptables-config:

-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -s xxx.xx.x.0/24 -j ACCEPT


View 7 Replies View Related

Server :: Iptables PREROUTING \ User Via Internet Access LinuxA Tcp Port 1935?

Oct 20, 2010

LinuxA & LinuxB
linuxA:eth0( connected linuxB:eth0 (
linuxA:eth1( connected internet


View 2 Replies View Related

Ubuntu Networking :: Cloned MAC Address Only Way To Get Internet Access?

Apr 7, 2011

I have a strange problem. I have to clone my MAC address (and specify a different MAC address) to get internet. Without the new MAC address I get an IP address but no internet. This happened with my old (updated from 7.04 -> 10.10) OS installation and with a new, clean install of 11.04. So I have a workaround. But I don't know what the problem is.

Ps. I recently switch modem and router. And I had the problem with old and new modem/router combinations.

View 7 Replies View Related

Server :: Dhcpd To Give A Certain Ip Address Based On Mac Address?

Nov 24, 2010

Im trying to setup dhcpd to put certain systems witch have mac address starting with 08:00:* in a certain ip class. How can this be done?So any system with mac address starting with 08:00 to get an ip from this range

View 11 Replies View Related

Networking :: Using TC And IPtables To Restrict Download Speed

Sep 17, 2010

I'd like to use tc and iptables to restrict the download speed. I understand this is know as policing. Are there some resources I could use to learn how to do this? I want to restrict on a per ip basis.

View 1 Replies View Related

Ubuntu Security :: Set A Time Limit On Internet Priveleges With 9.04?

Apr 15, 2010

Is there a way to create a guest account and have Ubuntu "automagically" limit the amount of time the user can access the Internet? So, for example, could she set up an account for her son and limit his Internet access to an hour at a time?

View 9 Replies View Related

Copyrights 2005-15, All rights reserved