After giving up with squid and removing the Proxy app, I switched to iptables and have been trying to utilize the Customer Firewall app. My purpose is to control my kids' access to the Internet.
I started with a simple rule, such as:
I searched the forum to know why it did not work. I found the following post saying the time matching was not supported in iptables for COS 5, but it came later in COS 6.1.
https://www.clearos.com/clearfoundation/social/community/timed-outgoing-firewall-rules#reply-37699
I'm wondering now if this feature was later removed from COS and is not longer supported?
Thank you.
I started with a simple rule, such as:
$IPTABLES -I FORWARD -s 192.168.0.102 -j REJECT
, and it worked. So, I impeded the access for a certain period of time: $IPTABLES -I FORWARD -s 192.168.0.105 -m time --timestart 10:00 --timestop 11:00 -j REJECT
, but this did not work!I searched the forum to know why it did not work. I found the following post saying the time matching was not supported in iptables for COS 5, but it came later in COS 6.1.
https://www.clearos.com/clearfoundation/social/community/timed-outgoing-firewall-rules#reply-37699
I'm wondering now if this feature was later removed from COS and is not longer supported?
Thank you.
Share this post:
Responses (11)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Thank you so much Nick for the detailed reply.
I really liked the idea of using subnet to set the iptables blocking rule instead of ipsets. So, I edited the DHCP Leases and Network Map tables and changed the IPs for my kids' devices to fall within 192.168.0.64/28 subnet. I updated the custom firewall rule accordingly then rebooted the access point to force all devices to take the new IPs. Everything is working well now -
Accepted Answer
And thinking about it what I've posted for ipset is probably way over the top. There is no real need to save the set as you will have so few entries. You might as well generate it each time you start with something like this in rc.local:
You don't even need the -exist flag. Just remember to make the file executable. Alternatively you can put all the lines in /etc/clearos/firewall.d/local, including the custom firewall rule at the end. Then you do need the -exist flag. The advantage of the /etc/clearos/firewall.d/local file is the firewall reloads each time you edit the file which makes it easy to add and remove IP's. Also you avoid a potential race condition between rc.local running and the firewall starting. The disadvantage of the /etc/clearos/firewall.d/local file is that the ipset rules run every time the firewall reloads which is more often than you may expect, so it wastes a few processor cycles and fractionally slows down the firewall loading.ipset create kids hash:net -exist
ipset flush kids
ipset add kids IP1
ipset add kids IP2
ipset add kids IP3
ipset add kids IPx
-
Accepted Answer
ipsets could be a little over the top if you want to try a different approach. For your kids, see if you can group them into a subnet somewhere within your LAN subnet but outside the DHCP range, so, if your DHCP range is .100 - .254, in the Webconfig > Network > Infrastructure > DHCP Server > Leases set your kids say somewhere between .64 and .71. (choose a bigger range if you have more kids!). Have a look at something like the Subnet Calculator to work out a good range, but starting at .64 (or .32) is quite a good starting point depending on your DHCP range. You will have to restart their devices or wait until their leases expire before they get the new IP's. If you do that then you can block using something like:
This avoids multiple rules or ipsets.$IPTABLES -I FORWARD -s 192.168.0.64/29 -m time --timestart 19:00 --timestop 02:00 --weekdays Mon,Tue,Wed,Sat,Sun -j REJECT
To run ipsets, check you have ipset installed:
Install it if necessary, but I think you must have it to create your set.rpm -q ipset
Because of timing issues, from my other post, create /etc/sysconfig/modules/ip_set.modules and make it executable and in it put:
You can do this with the following:modprobe ip_set
echo "modprobe ip_set" > /etc/sysconfig/modules/ip_set.modules
chmod +x /etc/sysconfig/modules/ip_set.modules
Once you have created your set, use my three-liner to save it:
You can adjust the file names as you want.ipset save kids > /usr/src/ipset_kids.save
sed -i 's/create/create -exist/g' /usr/src/ipset_kids.save
sed -i 's/add/add -exist/g' /usr/src/ipset_kids.save
Then to reload the ipset set on boot up, add a line to /etc/rc.d/rc.local:
Also see the note at the top of the file to make it executable.ipset restore /usr/src/ipset_kids.save
You should then be ready to go. -
Accepted Answer
Using iptables with times in UTC seems to work. I grouped my kids IPs in an ipset and here is the custom firewall entry:
$IPTABLES -I FORWARD -m set --match-set kids src -m time --timestart 19:00 --timestop 02:00 --weekdays Mon,Tue,Wed,Sat,Sun -j REJECT
The only problem now is to repopulate "kids" ipset with IPs after the server reboot. I tried to yum install ipset-service but it seems incompatible with firewalld, which is installed by default in clearOS.
Up to my knowledge, firewalld is not used in clearOS, so is it safe to remove it and install ipset-service? Any suggestion please?
EDIT: I read Nick's post here about how to populate ipset after reboot, but I could not make to work: https://www.clearos.com/clearfoundation/social/community/attack-detector-how-to-test-it#reply-191521 -
Accepted Answer
Tested the iptables rule and it works for me, but if you have a look at the resulting rule in iptables with an:
I noticed the times are all in UTC (or GMT). Once I corrected for this it worked. One disadvantage is you'll need to remember to redo the rules if you have some sort of daylight saving time.iptables -nvL FORWARD
-
Accepted Answer
I tested the Web Access Control app and it didn't fulfill my requirements. Squid in transparent mode cannot control access to secured sites (https). And in non-transparent mode, it brings more problems than it solves!
I hope for the iptables to work with time matching, as it's my last solution to implement time-controlled access. (My Asus router has parental control only in router mode and I'm currently operating it in access mode with cleaOS) -
Accepted Answer
crontab may not be as easy as you think if you cover the edge case of the server restarting during a blocking period. I've been using a scripted solution, partly in crontab and partly in the firewall scripts. I was doing this before the Web Access Control module was created.
If I get time later I'll try to look at time matching in iptables. -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »