Forums

Mansoor
Mansoor
Offline
Resolved
0 votes
After giving up with squid and removing the Proxy app, I switched to iptables and have been trying to utilize the Customer Firewall app. My purpose is to control my kids' access to the Internet.

I started with a simple rule, such as:
$IPTABLES -I FORWARD -s 192.168.0.102 -j REJECT
, and it worked. So, I impeded the access for a certain period of time:
$IPTABLES -I FORWARD -s 192.168.0.105 -m time --timestart 10:00 --timestop 11:00 -j REJECT
, but this did not work!

I searched the forum to know why it did not work. I found the following post saying the time matching was not supported in iptables for COS 5, but it came later in COS 6.1.
https://www.clearos.com/clearfoundation/social/community/timed-outgoing-firewall-rules#reply-37699

I'm wondering now if this feature was later removed from COS and is not longer supported?

Thank you.
Tuesday, September 19 2017, 08:14 AM
Share this post:
Responses (11)
  • Accepted Answer

    Thursday, October 26 2017, 12:06 PM - #Permalink
    Resolved
    1 votes
    ipsets could be a little over the top if you want to try a different approach. For your kids, see if you can group them into a subnet somewhere within your LAN subnet but outside the DHCP range, so, if your DHCP range is .100 - .254, in the Webconfig > Network > Infrastructure > DHCP Server > Leases set your kids say somewhere between .64 and .71. (choose a bigger range if you have more kids!). Have a look at something like the Subnet Calculator to work out a good range, but starting at .64 (or .32) is quite a good starting point depending on your DHCP range. You will have to restart their devices or wait until their leases expire before they get the new IP's. If you do that then you can block using something like:
    $IPTABLES -I FORWARD -s 192.168.0.64/29 -m time --timestart 19:00 --timestop 02:00 --weekdays Mon,Tue,Wed,Sat,Sun -j REJECT
    This avoids multiple rules or ipsets.

    To run ipsets, check you have ipset installed:
    rpm -q ipset
    Install it if necessary, but I think you must have it to create your set.

    Because of timing issues, from my other post, create /etc/sysconfig/modules/ip_set.modules and make it executable and in it put:
    modprobe ip_set
    You can do this with the following:
    echo "modprobe ip_set" > /etc/sysconfig/modules/ip_set.modules
    chmod +x /etc/sysconfig/modules/ip_set.modules


    Once you have created your set, use my three-liner to save it:
    ipset save kids > /usr/src/ipset_kids.save
    sed -i 's/create/create -exist/g' /usr/src/ipset_kids.save
    sed -i 's/add/add -exist/g' /usr/src/ipset_kids.save
    You can adjust the file names as you want.

    Then to reload the ipset set on boot up, add a line to /etc/rc.d/rc.local:
    ipset restore /usr/src/ipset_kids.save
    Also see the note at the top of the file to make it executable.

    You should then be ready to go.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Mansoor
    Mansoor
    Offline
    Tuesday, September 19 2017, 08:20 AM - #Permalink
    Resolved
    0 votes
    By the way, I'm aware of the possibility to do parental control with iptables using crontab, but I want to minimize my access to the shell as much as possible. This is why I chose to use the Customer Fire app to do this task.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, September 19 2017, 11:55 AM - #Permalink
    Resolved
    0 votes
    crontab may not be as easy as you think if you cover the edge case of the server restarting during a blocking period. I've been using a scripted solution, partly in crontab and partly in the firewall scripts. I was doing this before the Web Access Control module was created.

    If I get time later I'll try to look at time matching in iptables.
    The reply is currently minimized Show
  • Accepted Answer

    Mansoor
    Mansoor
    Offline
    Tuesday, September 19 2017, 12:39 PM - #Permalink
    Resolved
    0 votes
    I tested the Web Access Control app and it didn't fulfill my requirements. Squid in transparent mode cannot control access to secured sites (https). And in non-transparent mode, it brings more problems than it solves!

    I hope for the iptables to work with time matching, as it's my last solution to implement time-controlled access. (My Asus router has parental control only in router mode and I'm currently operating it in access mode with cleaOS)
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, September 19 2017, 07:25 PM - #Permalink
    Resolved
    0 votes
    Tested the iptables rule and it works for me, but if you have a look at the resulting rule in iptables with an:
    iptables -nvL FORWARD
    I noticed the times are all in UTC (or GMT). Once I corrected for this it worked. One disadvantage is you'll need to remember to redo the rules if you have some sort of daylight saving time.
    The reply is currently minimized Show
  • Accepted Answer

    Mansoor
    Mansoor
    Offline
    Thursday, October 26 2017, 10:25 AM - #Permalink
    Resolved
    0 votes
    Using iptables with times in UTC seems to work. I grouped my kids IPs in an ipset and here is the custom firewall entry:

    $IPTABLES -I FORWARD -m set --match-set kids src -m time --timestart 19:00 --timestop 02:00 --weekdays Mon,Tue,Wed,Sat,Sun -j REJECT

    The only problem now is to repopulate "kids" ipset with IPs after the server reboot. I tried to yum install ipset-service but it seems incompatible with firewalld, which is installed by default in clearOS.

    Up to my knowledge, firewalld is not used in clearOS, so is it safe to remove it and install ipset-service? Any suggestion please?

    EDIT: I read Nick's post here about how to populate ipset after reboot, but I could not make to work: https://www.clearos.com/clearfoundation/social/community/attack-detector-how-to-test-it#reply-191521
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, October 26 2017, 01:34 PM - #Permalink
    Resolved
    0 votes
    And thinking about it what I've posted for ipset is probably way over the top. There is no real need to save the set as you will have so few entries. You might as well generate it each time you start with something like this in rc.local:
    ipset create kids hash:net -exist
    ipset flush kids
    ipset add kids IP1
    ipset add kids IP2
    ipset add kids IP3
    ipset add kids IPx
    You don't even need the -exist flag. Just remember to make the file executable. Alternatively you can put all the lines in /etc/clearos/firewall.d/local, including the custom firewall rule at the end. Then you do need the -exist flag. The advantage of the /etc/clearos/firewall.d/local file is the firewall reloads each time you edit the file which makes it easy to add and remove IP's. Also you avoid a potential race condition between rc.local running and the firewall starting. The disadvantage of the /etc/clearos/firewall.d/local file is that the ipset rules run every time the firewall reloads which is more often than you may expect, so it wastes a few processor cycles and fractionally slows down the firewall loading.
    The reply is currently minimized Show
  • Accepted Answer

    Mansoor
    Mansoor
    Offline
    Thursday, October 26 2017, 09:10 PM - #Permalink
    Resolved
    0 votes
    Thank you so much Nick for the detailed reply.

    I really liked the idea of using subnet to set the iptables blocking rule instead of ipsets. So, I edited the DHCP Leases and Network Map tables and changed the IPs for my kids' devices to fall within 192.168.0.64/28 subnet. I updated the custom firewall rule accordingly then rebooted the access point to force all devices to take the new IPs. Everything is working well now :)
    The reply is currently minimized Show
  • Accepted Answer

    Mansoor
    Mansoor
    Offline
    Thursday, January 11 2018, 11:01 PM - #Permalink
    Resolved
    0 votes
    I'm think of making a clearOS app for time-based access control using iptables. The new app will be similar to the existing Web Access Control app, but will use iptables instead of squid proxy.

    What do you think?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 12 2018, 01:57 PM - #Permalink
    Resolved
    0 votes
    I like the idea as I use some scripting and cron to achieve the same. You'd need to sort out time conversion. Would you do it by IP, MAC or name (if using the hosts file)?
    The reply is currently minimized Show
  • Accepted Answer

    Mansoor
    Mansoor
    Offline
    Friday, January 12 2018, 07:08 PM - #Permalink
    Resolved
    0 votes
    I'm thinking of doing it using: IP, MAC, usernames and groups. The usernames and groups will be usable if the user maps devices in the network using the Network Map app.
    The reply is currently minimized Show
Your Reply