I have a network with the following topology:
– WAN Modem with NIC facing the gateway: 192.168.0.1
– Ubuntu 14.04 gateway with two NICs:
1) Eth0 (facing the modem): 192.168.0.201
2) Eth1 (facing the LAN): 10.0.0.1
I am trying to limit access to the Internet and to the LAN (from the Internet) by day and time of day using iptables, but the rules seem to have no effect what-so-ever.
In rc.local, I have the following setup:
++#!/bin/sh -e
#
# rc.local
# turning on address verification
echo -n "Enabling source address verification..."
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo "done"
#just for the sake of turning the networks off and on... not sure if it would work turning them back on only at the end of script ? -- Also flushing NICs
ip addr flush eth0;
ip addr flush eth1;
ifconfig eth0 down;
ifconfig eth1 down;
ifconfig lo down;
ifconfig lo up;
ifconfig eth0 up;
ifconfig eth1 up;
ifconfig eth0 192.168.0.201 netmask 255.255.255.0
ifconfig eth1 10.0.0.1 netmask 255.255.255.0
#routing table check up :
route add 127.0.0.1 dev lo;
route add -net 127.0.0.0/8 dev lo;
route add -net 10.0.0.0/24 dev eth1;
route add -net 192.168.0.0/8 dev eth0;
route add default gw 192.168.0.1;
# turn fowarding off while configuring iptables :
sysctl net/ipv4/ip_forward=0
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#and on again once the policies are set
sysctl net/ipv4/ip_forward=1
#limiting LAN clients
iptables -A FORWARD -d 10.0.0.74 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -d 10.0.0.228 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -d 10.0.0.121 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -d 10.0.0.221 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -d 10.0.0.2 -m time --timestart 10:00 --timestop 20:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
#block IPs
iptables -A INPUT -s 173.194.45.189 -j DROP
iptables -A INPUT -s 208.92.53.87 -j DROP
#masquerade on wan card :
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#accept all packets in lo and protect against spoofing :
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i !lo -s 127.0.0.0/8 -j LOG
iptables -A INPUT -i !lo -s 127.0.0.0/8 -j DROP
iptables -A FORWARD -i !lo -s 127.0.0.0/8 -j LOG
iptables -A FORWARD -i !lo -s 127.0.0.0/8 -j DROP
#accept only established input but all output on WAN card
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#just forget the invalid packets :
iptables -A OUTPUT -o eth0 -m state --state INVALID -j DROP
iptables -A INPUT -i eth0 -m state --state INVALID -j LOG
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP
#not sure whether to put this before or after spoofing protection ?
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
#against spoofing on LAN card input :
iptables -A INPUT -i !eth1 -s 10.0.0.0/24 -j LOG
iptables -A INPUT -i !eth1 -s 10.0.0.0/24 -j DROP
exit 0
Listing the rules with iptables -L I get:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 173.194.45.189 anywhere
DROP all -- 208.92.53.87 anywhere
ACCEPT tcp -- 10.0.0.0/24 anywhere ctstate NEW,RELATED,ESTABLISHED tcp dpt:sunrpc
ACCEPT udp -- 10.0.0.0/24 anywhere ctstate NEW,RELATED,ESTABLISHED udp dpt:sunrpc
ACCEPT all -- anywhere anywhere
LOG all -- 127.0.0.0/8 anywhere LOG level warning
DROP all -- 127.0.0.0/8 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere state INVALID LOG level warning
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
LOG all -- 10.0.0.0/24 anywhere LOG level warning
DROP all -- 10.0.0.0/24 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- 127.0.0.0/8 anywhere LOG level warning
DROP all -- 127.0.0.0/8 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
The time-based rules isn't there. Can anybody see why? Note: It is a day and time of day where the following rule should be active:
iptables -A FORWARD -d 10.0.0.2 -m time --timestart 10:00 --timestop 20:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
Best Answer
For days option, use
--weekdaysinstead of--daysas shown below