Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: milend on October 01, 2004, 06:23:54 PM

Title: ip_block and time interval settings
Post by: milend on October 01, 2004, 06:23:54 PM

Hi,

I hope I'll get some help from people using "ip_block internet" contrib from Abe Loveless.

I noticed that when I add an IP address to be blocked and leave time intervals "undefined" then ip_block seem to work fine. It blocks the internet connection for that particular IP permanently.

But if I want to block IP address only within a specific time interval (for example - from 00:00 Am to 23:55 AM) it does not work.

This may have something to do with the startup error messages from "masq" I found in /var/log/messages
See my previous post here: http://forums.contribs.org/index.php?topic=24335.0

Here are the ip addresses I have put in the list of blocked IPs:
Address Addr Type Description Begin Hour Begin Minute End Hour End Minute Day
192.168.163.80 ip none * * * * * Remove
192.168.163.65 ip none * * * * * Remove
192.168.163.68 ip none 0 00 23 55 all Remove


In /etc/init.d/masq i found lines blocking 192.168.163.80 and 192.168.163.65 (with unspecified time intervals) but there were no lines generated for IP=192.168.163.68 which has time intervals.

Is this a bug or just "ip_block" is not implemented yet to block internet acces within specified time interval.

Thank you all for the help!

Title: ip_block and time interval settings
Post by: loveless on October 01, 2004, 06:50:10 PM

Well, that package is in beta... so you may have found a bug.

But, to clarify how it works... if you don't specify a time interval, I believe the system updates masq immediately.  Otherwise, it updates a cron entry (probably /etc/crontab IIRC) and the next time that interval rolls around, the masq entry will be activated.

So, if your setting is supposed to activate at Midnight... it won't turn up in the masq file until the crontab entry runs at midnight.

Does that make sense, or seem right?

Title: ip_block and time interval settings
Post by: milend on October 01, 2004, 10:34:13 PM

Hi,
Here is what i found testing ipblock:

Just for a test I blocked the IP 192.168.163.80 for the time interval from 15:00 to 15:30 from
ipblock server-manager panel.
Then I checked the file /etc/cron.d/ipblock_inet and I found the following entries for the IP address I've blocked:
--------------------
# IPBlock Rule for 192.168.163.80
00 15 * * * root /sbin/iptables -I ipblock_inet -p all -s 192.168.163.80/32 -j LOG --log-prefix "BLOCKED_IP "
00 15 * * * root /sbin/iptables -I ipblock_inet -p all -s 192.168.163.80/32 -j DROP
30 15 * * * root /sbin/iptables -D ipblock_inet -p all -s 192.168.163.80/32 -j LOG --log-prefix "BLOCKED_IP "
30 15 * * * root /sbin/iptables -D ipblock_inet -p all -s 192.168.163.80/32 -j DROP
--------------------

So far everything seems to be OK...
Short after 15:00 i checked the output of the command "iptables -L" and I found the next 4 lines:
---------------------------------------
Chain ipblock_inet (2 references)
target     prot opt source                 destination
LOG        all  --  pc-00080.mydomain.com   anywhere      LOG level warning prefix BLOCKED_IP '
DROP       all  --  pc-00080.mydomain.com   anywhere
---------------------------------------

So, /etc/cron.d/ipblock_inet has been executed!

But when I restart the system the output of "iptables -L" does not contain anymore the above 4 lines.
Instead I found only these 2 lines:
---------------------------------------
Chain ipblock_inet (2 references)
target     prot opt source               destination
---------------------------------------

It seem to me that iptables rules do not survive reboot.
/etc/rc.d/init.d/masq restart also brings iptables into their initial state and
the changes made by ipblock will be gone.

Don't you think that masq templates has to be modified, expanded and masq restarted every time
we add/remove IP address to blocked list?

Title: ip_block and time interval settings
Post by: loveless on October 04, 2004, 05:57:16 PM

Quote from: "milend"

But when I restart the system the output of "iptables -L" does not contain anymore the above 4 lines.
Instead I found only these 2 lines:
---------------------------------------
Chain ipblock_inet (2 references)
target     prot opt source               destination
---------------------------------------

It seem to me that iptables rules do not survive reboot.
/etc/rc.d/init.d/masq restart also brings iptables into their initial state and
the changes made by ipblock will be gone.

That it is correct.  Since those lines were executed by cron, they are 'temporary'.  They will be executed again when the correct time interval rolls around.

However, if you have blocked an IP with no time options, those changes are stored and will return after reboot.

Quote from: "milend"

Don't you think that masq templates has to be modified, expanded and masq restarted every time
we add/remove IP address to blocked list?

That would be ideal, but I couldn't come up with a better way to deal with the scheduling.