Hi all. I need som help.I want to block all outbound traffic from my green network, and only allow one or more specific PCs to access the intenet. I search in Google but i found this (for SmootWall)
#allow outgoing traffic from these PCs
iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.3 -j ACCEPT
iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.4 -j ACCEPT
# block all other outgoing traffic
iptables -A FORWARD -p ALL -i $GREEN_DEV -s 0/0 -j DROP
You need to make changes to your rc.local file which is located in the following directory /etc/rc.d/
Add the following commands after the line containing "#!/bin/sh"
# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD
#allow full access for specific IPs
#allow 192.168.0.3 and 192.168.0.4
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.3 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.4 -o $RED_DEV -j ACCEPT
#bar access for all other IPs
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 0/0 -o $RED_DEV -j DROP
The above rules simply block direct access for all clients, but makes an exception for 192.168.0.3 and 192.168.0.4.
After editing rc.local, you can run it by typing "/etc/rc.d/rc.local".
A couple of comments on the differences between the above code and the commands you found on Google:
1. The CUSTOMFORWARD, CUSTOMINPUT and CUSTOMOUTPUT chains are linked to the default FORWARD, INPUT and OUTPUT chains respectively. In addition, rules setup in the Port Forwarding and External Access GUI sections are stored in the PORTFWACCESS and XTACCESS chains respectively. XTACCESS is linked to the INPUT chain while PORTFWACCESS is linked to the FORWARD chain.
This is why it is best to make any changes to rc.local, and only to the CUSTOM* chains as these have been linked to the respective default chains in the rc.firewall file. There will also be less chance of conflicts between your custom rules and any rules setup via the GUI.
2. You will notice that my commands include references to the RED interface whereas the "Google" ones don't. The effect is that my commands only control access from the Green Network to the Red interface i.e. the internet path. Therefore devices in the Green network will still be able to access devices in the DMZ or Blue (Wireless network). The other set of commands will simply prevent any packets from leaving the Green network. If that is what you want simply remove "-o $RED_DEV" from the commands in my code.
3. If your RED interface is actually an modem (ADSL or cable) rather than an actual network card, you will need to replace changing the "$RED_DEV" entries with "ppp0".
1. Starting with the easiest method. If all you're looking for is a method of restricting the bandwidth for a particular type of traffic that uses a fixed port, you can use the Traffic Shaping tool from the GUI. Note that this controls the bandwidth for all users using that particular port. You can access this through the Services\Traffic Shaping Menu.
2. If you really want to do this by user, you can use a feature in Squid called delay pools. The default build of Squid that comes with IPCOP comes with this option enabled. You will need to add some lines to your /var/ipcop/proxy/acl file:
Then click on the Save button on the Services\Proxy Screen to transfer the new settings to your squid.conf file.
The above commands limit the host with IP 192.168.0.3 to 64 kps when using protocols that are serviced by squid i.e. http, ftp. This will however not block file-sharing applications that use other ports.
Note that any machines that have been given access via iptables commands in your rc.local file will not be affected.
However, I think with a combination of IPtables (via rc.local), Traffice Shaping (via the GUI) and Squid you should be able to get some kind of control.
There are other methods of controlling bandwidth, but they usually involve installing additional modules to your IPCOP.
Let us know if any of the above is unclear or you need more help. Also anyone who knows how this could be done directly via iptables, please jump in and help!!
I understand that CBQ or HTB will do the job, but as I have not used them before I can't give you the exact commands. Also as they do not come installed on IPCOP you will have to install them.
I have looked more closely at the traffic shaping in IPCOP and it is based on
. I also noticed an error in one of my previous posts. The Traffic Shaping service in IPCOP does not control the bandwidth for each port/protocol. It only affects the latency. So you could assign interactive traffic like SSH, VNC a high priority and P2P applications or bulk downloads a low priority. I know this may not be ideal as you still can't control by user. The other option is to look into CBQ or HTB. Sorry I can't be more helpful but if I come across anything, I'll update the thread.
Any experts on QoS/Traffic Shaping, please help!!!