13

I want that one of the users (not in the sudoers list) have Internet access from 14:00 until 16:00 and from 17:00 until 18:30. Is it possible? Can I set different time intervals for different week days?

Braiam
  • 67,791
  • 32
  • 179
  • 269
cupakob
  • 1,919
  • You'd be best doing this at a router or gateway control level, rather than at the system itself... as far as I know, there's no easy system within Ubuntu to restrict internet access at the user level. – Thomas Ward Jun 09 '11 at 18:43
  • When i make it on router level, then all users will be restricted... – cupakob Jun 09 '11 at 18:54
  • Afaik (and I've been looking for a solution to this since 9.04), there's no software solutions for this. Granted, on my nets, there's only one user per computer, and they all connect via a server box that acts as the gateway. That box has a crontab that blocks all internet access on that system then removes it at a later time; subsequently it also runs at different times each day. Out of curiosity, why do you need to restrict access to that strict a time period, and why do you need to do it by user? – Thomas Ward Jun 09 '11 at 18:56
  • i need it by user, because one pc is used by two users. and i want to restrict the access, because the second user must learn much more and not to stay in facebook :) but your idea with the crontab is good....what are you using to block the access? I can make the same for the user, when i block the router :) – cupakob Jun 09 '11 at 19:04
  • My router and my gateway box are separate - as the gateway box assigns a static address (and thus handles the data) from the other boxes, I use iptables to block the static-assigned private IP address from sending outbound or inbound data, which thus blocks ALL internet traffic to the box. The crontabs each use their own iptables command in order to remove items on a schedule. It is an imperfect system, because I could just buy a router that works better :P – Thomas Ward Jun 09 '11 at 19:07
  • Ooops i ran out of space :P Here's my question - if its one system, you physically can't have two people using the system simultaneously. So why worry about user-based blocking? (And I assume the user being blocked is a younger student, say middle-school aged; hence the parental-control-like restrictions :P) – Thomas Ward Jun 09 '11 at 19:08

2 Answers2

8

  1. login as root:

    sudo su

  2. check the status of your firewall:

    ufw status

    if the firewall is inactive, issue:

    ufw enable

  3. in order to restrict user wilhelm internet access on Sundays, Tuesdays,Wednesdays and Fridays to the allowed time intervals (14:00-16:00 & 17:00-18:30) :

    iptables -I OUTPUT -p tcp -m owner --uid-owner wilhelm -m time --weekdays Su,Tu,We,Fr --timestart 00:00:01 --timestop 14:00:00 -j DROP 
iptables -I OUTPUT -p tcp -m owner --uid-owner wilhelm -m time --weekdays Su,Tu,We,Fr --timestart 16:00:00 --timestop 17:00:00 -j DROP 
iptables -I OUTPUT -p tcp -m owner --uid-owner wilhelm -m time --weekdays Su,Tu,We,Fr --timestart 18:30:00 --timestop 23:59:59 -j DROP

    side note: *please note the use of -I switch rather than -A switch of the iptables command. the -I switch inserts the aforementioned rules (3.) at the beginning (top) of the OUTPUT rule chain rather than at the bottom of the chain. placing the manually appended rules on top of the regular firewall policies is important since rules are processed top to bottom. if the top most rules ACCEPT a packet, the chain, OUTPUT, is no longer checked for the following rules which might have DROPped the packet.

  4. please make sure that the rules were indeed properly entered: 

    iptables -L OUTPUT

    in order to delete an inappropriate rule, say rule No. 1, (1-based count from top of iptables -v -L OUTPUT) issue: iptables -D OUTPUT 1.

  5. save iptables for restoring on the next boot:

    iptables-save > /etc/iptables.rules

  6. in /etc/rc.local append the line:

    iptables-restore < /etc/iptables.rules

done

--

tested on Ubuntu 11.10 (oneiric), locale: he

Nephente
  • 5,595
  • 1
  • 17
  • 23
user56231
  • 83
  • 1
  • 2
  • 1
    Great answer with a perfect solution! But note that all times are interpreted as UTC, so one may have to manually offset them for local time - in my case central european summer time -2 hours. – Precise Penguin Sep 02 '12 at 08:56
  • I did all the steps and they worked (the internet access was limited) but after restarting, the internet was back on. I checked iptables -L OUTPUT and didn't find the rules I added... – Lawand Jun 19 '14 at 00:09
  • 2
    What's the reason you're enabling ufw even though you later use iptables? – balu Jan 12 '18 at 18:06
  • @PrecisePenguin that can be fixed with the --kerneltz option ("Use the kernel timezone instead of UTC") – waldyrious May 30 '18 at 11:32
8

You can use iptables's owner extension to block a user from accessing the net, like

 sudo iptables -A OUTPUT -m owner --uid-owner user_you_want_to_block -j REJECT

Now you can use cron to add or remove those rules (which may need a little bit of shell scripting if you already have some iptable rules or want it to to for different users at different times).

Florian Diesch
  • 87,389