IPTABLES Time Limits

Rick Stevens rstevens at vitalstream.com
Mon Sep 27 18:29:36 UTC 2004 

karlp at ourldsfamily.com wrote:
> I spent much of Friday night and today setting up my network preparatory
> to filtering.
> 
> I installed a second NIC in my server, changed it's IP address to
> 10.0.0.1, which was my Cisco router's IP before the change. The Cisco is
> now 172.20.20.1 and the second NIC on my server is 172.20.20.2.
> 
> I've looked at Squid and am overwhelmed, but have an iptables script that
> works just fine for IP traffic forwarding, so the network is functioning
> as it did before the change. I had to setup DHCP for an XP Pro PC that
> wasn't working.
> 
> 2 questions:
> 
> 1. I want to be able to give access to the internet during certain hours
> of the day for some PCs on the network and close down outbound access
> during after-hours and part of the weekend. Can I do these time
> restrictions?

That would need to be done via a cron job that changes the iptables
configuration.  iptables, by itself, has no concept of clock time.

> 2. what would the best method be of using NAT on the server. The Cisco
> already does NAT, but the parts of it that translate to the 10.0.0.0
> network now fails. All the services that are translated to the server work
> fine. That's because it's on the same subnet as the Cisco (172.20.20.0).
> 
> Topology of NAT look like this:
> 
> 172.20.20.2 25 198.60.114.90 25 tcp    < still works
> 172.20.20.2 80 198.60.114.90 80 tcp    < still works
> 
> 10.0.0.2 10001 198.60.114.90 10000 tcp < Webmin to another 'server' fails
> 10.0.0.20 5900 198.60.114.90 5900 tcp  < VNC to a laptop fails
> 
> I'm thinking that I would need to setup the Cisco to direct those ports to
> the server and then some iptables rules that redirect those ports to the
> internal IP addresses.

You didn't show us the topology of the network itself.  If you're on a
cable modem, the WAN (cable) side is some IP from your ISP (generally
DHCPd), the LAN side is 192.168.100.1 or something of that nature and
the cable modem does NAT between the two sides (actually, most cable
modems use 192.168.100.0/24 on the LAN side).

Your router's WAN side connects to the cable modem's LAN port and would
have an address on the cable modem's LAN side, 192.168.100.2 in the
above example).  The router's LAN side would be something like
10.24.0.0/16, and all of your other devices on the LAN side must be on
the 10.24.0.0/16 network.  The router also does NAT between 10.24.0.0/16 
and 192.168.100.2.  Generally, the router also has a firewall and
supports NTP so you can set up time-based access limits (I know the
D-Link and Linksys units do).

If you're trying to subdivide the 10.24.0.0/16 (router LAN side) into
yet another network (172.20.20.N) by using the Linux box as a
router/NAT, then you have some figuring to do.

Personally, I wouldn't do it.  Unless you have some specific reasons to
segment your network as you are, you're better off just having a
monolithic LAN (10.24.0.0/16) on the LAN side of the router.  Use the
router's firewall and NAT rules to do your dirty work.  You'll find it's
easier to manage a single network segment rather than a bunch of them.
Remember, this is coming from a guy who manages several /19 and /22
network segments with VLANs and lots of other stuff (we have 8 Cisco
GRX [12000-series] routers and who peer with Wiltel, Level 3 and several
other tier-1 Internet providers).
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-                 IGNORE that man behind the keyboard!               -
-                                                - The Wizard of OS  -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list