Temporally disable a host

All of lore.kernel.org
 help / color / mirror / Atom feed

* Temporally disable a host
@ 2005-05-14 10:08 bjorn
  2005-05-15 23:28 ` Taylor, Grant
  0 siblings, 1 reply; 2+ messages in thread
From: bjorn @ 2005-05-14 10:08 UTC (permalink / raw)
  To: netfilter

Hello,

I use iptables based on the MonMotha's Firewall script.
I partly understand what it does but have not been able
to absorb all the functionality/possibilities that iptables
offers...

I would like to temporally disable one of the hosts inside
by private network from internet access. Possibly all traffic
or only http traffic. My idea was to add this rule through a
cron job at a specific time and then later run another job that
deletes the rule.

Please help me with a suitable iptables command to do this.

Regards,

/Bj√∂rn

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Temporally disable a host
  2005-05-14 10:08 Temporally disable a host bjorn
@ 2005-05-15 23:28 ` Taylor, Grant
  0 siblings, 0 replies; 2+ messages in thread
From: Taylor, Grant @ 2005-05-15 23:28 UTC (permalink / raw)
  To: netfilter

bjorn wrote:
> Hello,
> 
> I use iptables based on the MonMotha's Firewall script.
> I partly understand what it does but have not been able
> to absorb all the functionality/possibilities that iptables
> offers...
> 
> I would like to temporally disable one of the hosts inside
> by private network from internet access. Possibly all traffic
> or only http traffic. My idea was to add this rule through a
> cron job at a specific time and then later run another job that
> deletes the rule.
> 
> Please help me with a suitable iptables command to do this.
> 
> Regards,
> 
> /Bj√∂rn

I would recommend that you take a look at the time match extension.  Time match extension is meant to allow rule(s) to match based on time, day of week, with start and stop dates with times.  This would allow you to have a rule that would allow (ACCEPT) traffic to pass through to / from the server in question only during the times that you want it to.  Follow this rule up with a default drop policy to reject traffic if the former does not allow the traffic to flow through.  You could conversely set up a rule to drop traffic during the times that you want the system to be off line, but I prefer a default of drop and then explicitly allow the traffic to through.

I would recomend that you set up a couple of rules in your firewall in the following order:

  1)  Set a rule using the time match extension, i.e.
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -m time --timestart 08:00 --timestop 17:00 --listofdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
  2)  Set a rule that will by default match and drop any traffic that was not explicitly accepted in the previous rule, i.e.
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -j DROP

Or if you are wanting to only block port 80 and 443 traffic I would do something like the following:

  1)  Set a rule using the time match extension, i.e.
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -p tcp --dport 80 -m time --timestart 08:00 --timestop 17:00 --listofdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -p tcp --dport 443 -m time --timestart 08:00 --timestop 17:00 --listofdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
  2)  Set a rule that will by default match and drop any traffic that was not explicitly accepted in the previous rule, i.e.
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -p tcp --dport 80 -j DROP
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -p tcp --dport 443 -j DROP

Below is the output of "iptables -m time -h".

TIME v1.3.1-20050422 options:
 [ --timestart value ] [ --timestop value] [ --days listofdays ] [ --datestart value ] [ --datestop value ]
          timestart value : HH:MM (default 00:00)
          timestop  value : HH:MM (default 23:59)
                            Note: daylight savings time changes are not tracked
          listofdays value: a list of days to apply
                            from Mon,Tue,Wed,Thu,Fri,Sat,Sun
                            Coma speparated, no space, case sensitive.
                            Defaults to all days.
          datestart value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
                            If any of month, day, hour, minute or second is
                            not specified, then defaults to their smallest
                            1900 <= YYYY < 2037
                               1 <= MM <= 12
                               1 <= DD <= 31
                               0 <= hh <= 23
                               0 <= mm <= 59
                               0 <= ss <= 59
          datestop  value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
                            If the whole option is ommited, default to never stop
                            If any of month, day, hour, minute or second is
                            not specified, then default to their smallest



Grant. . . .



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2005-05-15 23:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-14 10:08 Temporally disable a host bjorn
2005-05-15 23:28 ` Taylor, Grant

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.