ipcop support

Hi everyone. I'm trying to do something in IPCop 2.0.4 that I was able to do with URLfilter in 1.4.21 but can't seem to figure out how to accomplish since I upgraded my firewall.

The Situation: I have 20-odd devices on my network. I want to allow internet access for everyone except for 6 of them. Those 6 IPs need to be allowed full internet access only during certain times of the day, for example 5:00pm to 9:00 pm only. I have the list of IPs in a text file already so that can be fed to a shell script if that's what is needed to accomplish this.

Some of these devices are "stupid" (one, for instance, is a WD TV Live media player) so I can't use Squid's auth features to handle this.

I used to do this via the URLfilter addon GUI but I am comfortable editing system files and adding entries to fcrontab. I don't care if it's difficult to do, I simply don't know how to accomplish in 2.0.4 what URLfilter's "Time Restrictions" function did in the 1.4 series. I've tried adding on the CopPlus/DansGuardian bits but they don't have the functionality I'm looking for.

Any advice or pointers to handle my situation are greatly appreciated!

Try viewtopic.php?f=5&t=11258&p=60509&hilit=+drop+iptables#p60509
Warning. Old post re IpCop 1.4
YMMV

bluegroper, I searched the forums and did NOT see the post you referenced above. This is exactly the info I needed - many thanks! I appreciate your taking the time to search and find this on my behalf.

Next task for me is to learn to properly use the search functionality within this site. I'm evidently missing something...

Thanks again!

OK I am stumped at this point, been fighting with this for 5+ hours now. I've figured out that the GREEN interface is not named "eth0" in 2.0.4, now named "lan-1". OK that's fine. I have an iPhone 3GS with no SIM so WiFi only to test this out with. In my case my WiFi router is in Access Point mode - it is simply bridging the wireless and internal LAN together. My IPCop is the only connection to the outside world, and my 3GS is getting a DHCP address from IPCop over the WiFi link.

I have run this command to test:
/sbin/iptables -I CUSTOMFORWARD -i lan-1 --source 192.168.10.207 -j DROP

when I ask iptables what it thinks I said, it returns:
Chain CUSTOMFORWARD (1 references)
target prot opt source destination
DROP all -- IP3GS.mydomain.com anywhere

The only oddball thing I can see is that it's resolving the hostname somehow (asking dhcpd maybe?). Would that possibly screw things up?

I'm not certain what other info could be needed to help troubleshoot this situation. If I'm not including something obvious (to you) please let me know and I'll include that as well.

One other potential is that as mentioned in my original post, I am running the CopPlus/DansGuardian add-on.
Proxy is also enabled (transparent on GREEN).

Is there a possibility that DG or Squid is getting the packets before the iptables chain rule can act upon them? Part of the DG install was to add a service on port 8080 and set up an ACCEPT rule on the firewall.

OK I think I am on to something. If I add the rules to the INPUT chain instead of the CUSTOMFORWARD chain, then it works.

Now just to figure out what the proper order is...

Will update when I've got this solved.

Hi Wiggum,

I have tried the pre-release version of 2.1 in a VM & URLFilter along with the time restrictions are currently included in the pre-release version of 2.1.
No I have no idea when it will finally come out, I just stumbled across the pre-release looking for something else.

In the mean time I want to suggest a GUI based solution using the firewall rules.
Please note I have not tried this just got it from the online docs.

Change the Green Interface Policy from "Open" to "Half-Open" (It might need to be "Closed" not sure)
http://www.ipcop.org/2.0.0/en/admin/htm ... tings.html

Go to Firewall Rules and add 2 rules to "Outgoing Traffic"
First rule in list to Drop or Reject the IP you want to stop by times you want.
Second rule to allow all internet traffic on Green.
http://www.ipcop.org/2.0.0/en/admin/htm ... rules.html

Try reading the whole section. http://www.ipcop.org/2.0.0/en/admin/htm ... anges.html
It starts to make sense on the 3rd or 4th read through.

Hope this all makes sense.

_________________
IPCop 2.0.4 - Copfilter 2.0.91beta3
RED - GREEN - BLUE - IPSec - OpenVPN
Pentium Dual Core 2.6Ghz - 2Gb RAM - 80Gb ATA HDD
Realtek RTL-8110SC/8169SC - 2 x Realtek RTL-8169

As time permits, I'm still flailing away with iptables rules and not having a lot of success.

My network is 192.168.10.xxx
IPCop 2.0.4 with simple GREEN and RED interfaces
My test device is an iPod Touch with static IP of 192.168.10.207

I add the rule
/sbin/iptables -I INPUT -i any --source 192.168.10.207 -j DROP

I verify the rule using
/sbin/iptables -L INPUT, which shows
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 192.168.10.207 anywhere

Yet, the ipod continues to be able to browse the web, access the itunes store, everything.

Where am I screwing up? Is there some other command to make the iptable rules active that I am not aware of?

OK this seems to have worked:

/sbin/iptables -D FORWARD -i lan-1 --source 192.168.10.207 -j DROP

I don' know enough about iptables to say why the INPUT chain rule didn't function, but using the FORWARD chain seems to be OK. Apparently I have some learning to do. At least now I can use bluegroper's idea about putting the rules into fcrontab for automated time-of-day denials/allows.

Suggest you remove your own iptables rules and reread the IPCop manual. Especially the part where it says how to add timeframes via the GUI...

_________________


-=[ If you want answers: provide lots of information, including tiny details! ]=-

weizen_42: This looks interesting. moshari_3 mentioned this as well but I only today finally sat down and read through the 2.6 section.

Confusing as all h*ll for me as I only recently migrated from 1.4.x and am still getting used to the changes in 2.0.x.

It looks like I need to:
go half-open
set up rules so all my devices can get out to the 'net
set up individual rules for each device I want to restrict, with the times

I'll have to give that a try and do some testing. Thanks to both of you for the pointers!

@wiggum:

A little tip put your time restricting rules above your allow all rule in the list.

HTH

_________________
IPCop 2.0.4 - Copfilter 2.0.91beta3
RED - GREEN - BLUE - IPSec - OpenVPN
Pentium Dual Core 2.6Ghz - 2Gb RAM - 80Gb ATA HDD
Realtek RTL-8110SC/8169SC - 2 x Realtek RTL-8169

*light bulb goes on*

Aha! OK so it works the same way as in Cisco IOS - rule list is run from top to bottom. Definitely good to know, and makes sense. I haven't had time to try things out yet but the tip is appreciated - thanks!