Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: IpCop help

IpCop help 11 years 2 months ago #10135

  • stanyo
  • stanyo's Avatar
  • Offline
  • Frequent Member
  • Posts: 20
  • Karma: 0
Hi all. I need som help.I want to block all outbound traffic from my green network, and only allow one or more specific PCs to access the intenet. I search in Google but i found this (for SmootWall)


#allow outgoing traffic from these PCs
iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.3 -j ACCEPT
iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.4 -j ACCEPT
# block all other outgoing traffic
iptables -A FORWARD -p ALL -i $GREEN_DEV -s 0/0 -j DROP

How to make work ? Sorry for my bad English.
The administrator has disabled public write access.

Re: IpCop help 11 years 2 months ago #10140

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
You need to make changes to your rc.local file which is located in the following directory /etc/rc.d/

Add the following commands after the line containing "#!/bin/sh"
[code:1]
# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD

#allow full access for specific IPs
#allow 192.168.0.3 and 192.168.0.4
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.3 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.4 -o $RED_DEV -j ACCEPT

#bar access for all other IPs
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 0/0 -o $RED_DEV -j DROP
[/code:1]

The above rules simply block direct access for all clients, but makes an exception for 192.168.0.3 and 192.168.0.4.

After editing rc.local, you can run it by typing "/etc/rc.d/rc.local".

A couple of comments on the differences between the above code and the commands you found on Google:

1. The CUSTOMFORWARD, CUSTOMINPUT and CUSTOMOUTPUT chains are linked to the default FORWARD, INPUT and OUTPUT chains respectively. In addition, rules setup in the Port Forwarding and External Access GUI sections are stored in the PORTFWACCESS and XTACCESS chains respectively. XTACCESS is linked to the INPUT chain while PORTFWACCESS is linked to the FORWARD chain.

This is why it is best to make any changes to rc.local, and only to the CUSTOM* chains as these have been linked to the respective default chains in the rc.firewall file. There will also be less chance of conflicts between your custom rules and any rules setup via the GUI.

2. You will notice that my commands include references to the RED interface whereas the "Google" ones don't. The effect is that my commands only control access from the Green Network to the Red interface i.e. the internet path. Therefore devices in the Green network will still be able to access devices in the DMZ or Blue (Wireless network). The other set of commands will simply prevent any packets from leaving the Green network. If that is what you want simply remove "-o $RED_DEV" from the commands in my code.

3. If your RED interface is actually an modem (ADSL or cable) rather than an actual network card, you will need to replace changing the "$RED_DEV" entries with "ppp0".
The administrator has disabled public write access.

Re: IpCop help 11 years 2 months ago #10148

  • stanyo
  • stanyo's Avatar
  • Offline
  • Frequent Member
  • Posts: 20
  • Karma: 0
Thanks DaLight it works. I have one more question. How to make speed limit to some IP in green network.
The administrator has disabled public write access.

Re: IpCop help 11 years 2 months ago #10181

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
There are a number of ways of going about this.

1. Starting with the easiest method. If all you're looking for is a method of restricting the bandwidth for a particular type of traffic that uses a fixed port, you can use the Traffic Shaping tool from the GUI. Note that this controls the bandwidth for all users using that particular port. You can access this through the Services\Traffic Shaping Menu.

2. If you really want to do this by user, you can use a feature in Squid called delay pools. The default build of Squid that comes with IPCOP comes with this option enabled. You will need to add some lines to your /var/ipcop/proxy/acl file:

acl slowhost src 192.168.0.3/255.255.255.0
delay_pools 1
delay_class 1 1
delay_access 1 allow slowhost
delay_parameters 1 8000/8000 # 64 kbits == 8 kbytes per second

Then click on the Save button on the Services\Proxy Screen to transfer the new settings to your squid.conf file.

The above commands limit the host with IP 192.168.0.3 to 64 kps when using protocols that are serviced by squid i.e. http, ftp. This will however not block file-sharing applications that use other ports.

Note that any machines that have been given access via iptables commands in your rc.local file will not be affected.

However, I think with a combination of IPtables (via rc.local), Traffice Shaping (via the GUI) and Squid you should be able to get some kind of control.

There are other methods of controlling bandwidth, but they usually involve installing additional modules to your IPCOP.

Let us know if any of the above is unclear or you need more help. Also anyone who knows how this could be done directly via iptables, please jump in and help!!
The administrator has disabled public write access.

Re: IpCop help 11 years 2 months ago #10195

  • stanyo
  • stanyo's Avatar
  • Offline
  • Frequent Member
  • Posts: 20
  • Karma: 0
Actually i want to limit torrent and DC++ applications more. I search in internet and understand so i must use cbq.init or htb.init
is this correct ?

DaLight thanks for patience
The administrator has disabled public write access.

Re: IpCop help 11 years 2 months ago #10208

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
I understand that CBQ or HTB will do the job, but as I have not used them before I can't give you the exact commands. Also as they do not come installed on IPCOP you will have to install them.

I have looked more closely at the traffic shaping in IPCOP and it is based on WonderShaper. I also noticed an error in one of my previous posts. The Traffic Shaping service in IPCOP does not control the bandwidth for each port/protocol. It only affects the latency. So you could assign interactive traffic like SSH, VNC a high priority and P2P applications or bulk downloads a low priority. I know this may not be ideal as you still can't control by user. The other option is to look into CBQ or HTB. Sorry I can't be more helpful but if I come across anything, I'll update the thread.

Any experts on QoS/Traffic Shaping, please help!!!
The administrator has disabled public write access.
Time to create page: 0.085 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup