On Sat, Aug 6, 2016 at 3:43 AM Brian <a...@cityscape.co.uk> wrote:
> On Fri 05 Aug 2016 at 15:49:28 +0000, Mark Fletcher wrote: > > > On Fri, Aug 5, 2016 at 11:04 PM Brian <a...@cityscape.co.uk> wrote: > > > > > Sticking with the idea of using a systemd service file, the script it > > > runs would check the time and alter the routing table when necessary. > > > Neither cron nor iptables need come into the picture. > > > > > Thanks Brian. My thinking was that although this machine won't be on all > > the time, it will be started and stopped at unpredictable times. I wanted > > to have a situation where if it is brought up during allowed hours, the > > internet works. If it is brought up during not-allowed hours, it doesn't, > > until 9am arrives, at which point it starts working. So if my son gets > out > > of bed at 3am and fires up the computer, he gets nowhere (at least until > he > > figures out how to hack into my own machine and run an ssh session with X > > forwarding... but if he figures that out without my help I'm almost > > inclined to reward him by turning a blind eye :-) ) > > > > Similarly, if he is surfing away on it at 9pm, well by then he is > supposed > > to be at least in the bath if not in bed, so the computer's internet > > connection sets an example by going to sleep... > > > > If he leaves it on, I want it to connect and disconnect automatically at > > the appropriate times, and if he doesn't, I want it to come up in the > right > > state. If I leave a hole in this that can be exploited without strong > > technical skills, I'm confident he'll find it... > > Without the root password or sudo he should be unable to influence the > routing. The machine will always come up with a route to the internet > because you are using DHCP. But that shouldn't last for more thn thirty > seconds if we can get systemd to do its stuff. > > We'll forget about a fixed IP. DHCP gets you an address and a default > route when it boots. Check the latter with 'ip route'. You want a > default route to the internet between 9am and 9pm but not otherwise. > Consider this script > > #!/bin/bash > while : > do > HOUR=$(date +%H) > if ((9 <= $HOUR && $HOUR <= 21)); then > echo "Help with the washingup, tidy your room, make yourself useful." > else > echo "Have a bath. Go to bed." > fi > sleep 30 > done > > The first echo line would be replaced with > > ip route add default via <gateway IP> dev <interface> > > You need this in the event the machine is left on overnight and the > second echo line > > ip route del default via <gateway IP> dev <interface> > > is in force. > > The script would go in /user/local/bin and be run by a systemd service > file with its Exec directive. You should run the script first and check > that it does do what you want. Altering the "9" and the "21" will help. > You probably want a "one-shot" service file. You're ok with devising > that? > > > I could give the box a fixed IP but I have always used DHCP on my local > > network and don't want to disturb my habits more than necessary for this. > > It wasn't a important suggested change. > > > Also this would get rid of the need for DHCP but wouldn't get rid of NTP > > calls, and then I'd get them vomiting all over the logs when they fail to > > connect. Not a big problem, certainly, but an elegant solution would > avoid > > it. > > Have the script stop and start the NTP service. Elegant enough? > > > I didn't mention earlier, and I'm not sure if it is relevant, but the > > computer connects via WiFi to my access point, which is also my network's > > internet gateway -- with an LFS box between it and the cable modem as a > > dedicated firewall. I don't trust the non-free firewall in the AP, > although > > WiFi or cable shouldn't be a concern. Both set up routing in the same way. > > > I have left it on. The rest of my network is not to be subject to this > 9pm > > curfew. And I would ideally like connectivity between this machine and > the > > rest of my local network to remain even when the internet is denied to > this > > machine, so I can do remote maintenance when he's not using the machine, > > for example. If I monkey around with the default routing as you are > > suggesting, does that have any negative implications for connectivity to > > the rest of my local network? > > It shouldn't do because you will only be adjusting the route to get off > your network. But that's where testing comes in. > > Finally, I am afraid I did not understand > the > > point you made about how cron can be avoided. If the machine's up when > 9pm > > arrives, I want internet connectivity to die so I can prise him off the > > computer and get him to bed. In your idea, how can I make that happen > > without a cron job? > > The script run by systemd takes care of what happens at a particular > time. A cron-only solution is possible but I think the systemd way seems > more flexible because the script can be adjusted. > > You are after an all-or-nothing solution and iptables is intended for > more finely-grained routing issues. It would probably do the job but > there is more work involved and it's a bugger to debug if the rules are > not quite right. > > Thanks for this Brian.
