is there any chance to configure iptables in a way that it allow a machine to be online for lets say one hour per day ? The time module can do this only in a way like "from ... until ..." but I need a more flexible solution. The machine could be online 30 minutes in the morning and then again 30 minutes in the evening but I dont find any way. Do I realy have to write a script for that?
Asked
Active
Viewed 452 times
1 Answers
0
The problem is that you need a way of detecting when the machine is online and when it goes offline. A machine is not always continuously present, so there needs to be some buffer to account for an online session of the machine.
I take it that the machine you want to limit is not the machine on which you want to install the iptables rule? In that case, you need to detect the session (by inspecting logs on the monitor machine?) and continuously (every minute, using cron?) check whether the client machine has surpassed its allotted time.
Joachim Nielandt
- 145
- 8
-
You're right ... the firewall is a standalone machine. While reading your anwser I thought about using a vpn connection from the client to the firewall. I could count the time by cron but I know my son. He just forgets to terminate the connection and time is ticking away. – Johannes Brunner Jun 09 '17 at 08:57
-
Apparently `iptables` allows a logging rule as well. In the example from the Ubuntu wiki for Iptables: `sudo iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7`. You could set the log limit for connections to 1 per minute and log timestamps. Then it's a matter of counting the lines in the log file, for a given day (you could say that a single request is _worth_ a minute). Depending on the result, (dis)able the connection for the machine. Seems to be an easy way of going about it, not too much effort. – Joachim Nielandt Jun 09 '17 at 13:00