2023-02-22 16:49:54 +00:00
|
|
|
#!/bin/sh
|
|
|
|
# Get DataDir location
|
|
|
|
DATA_DIR="/data"
|
|
|
|
case "$(ubnt-device-info firmware || true)" in
|
|
|
|
1*)
|
|
|
|
DATA_DIR="/mnt/data"
|
|
|
|
;;
|
|
|
|
2*)
|
|
|
|
DATA_DIR="/data"
|
|
|
|
;;
|
|
|
|
3*)
|
|
|
|
DATA_DIR="/data"
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
echo "ERROR: No persistent storage found." 1>&2
|
|
|
|
exit 1
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
## ----------------------------------------------------------------------
|
|
|
|
## Script to add/remove time-of-day restrictions on internet access for selected clients.
|
|
|
|
##
|
|
|
|
## Use DHCP reservations to encourage the selected clients to always obtain the same IP address.
|
|
|
|
##
|
|
|
|
## To install:
|
|
|
|
## * Copy this script into ${DATA_DIR}/on_boot.d/, using something like WinSCP or SSH + vi.
|
|
|
|
## * Grant Execute permission: chmod +x ${DATA_DIR}/on_boot.d/iptables_timerestrict.sh
|
|
|
|
## * Run it once, to activate it (crontab entries will keep it active forever after):
|
|
|
|
## Via SSH into UDM shell: ${DATA_DIR}/on_boot.d/iptables_timerestrict.sh
|
|
|
|
##
|
|
|
|
## Notes:
|
|
|
|
## * Changes to firewall rules in the Unifi Network Application will remove your restriction;
|
|
|
|
## re-run this script to re-apply the restriction rule, or wait for the next activation/deactivation hour.
|
|
|
|
## * To apply changes to this script (i.e. new client addresses, or changes to the time of day),
|
|
|
|
## re-run this script manually to apply the updates, or wait for the next activation/deactivation hour.
|
|
|
|
## * When this script activates or deactivates the blocking, it will log to /var/log/messages.
|
|
|
|
## * While the blocking is active, you'll see one "TIMERESTRICT BLOCK: " log message per hour
|
|
|
|
## in /var/log/messages if any blocked clients are attempting to use the internet.
|
|
|
|
##
|
|
|
|
## Caveats:
|
|
|
|
## * No support for wake_minute/sleep_minute - currently this only turns on/off at the top of an hour.
|
|
|
|
## * Assumption exists that sleep_hour is always greater-than wake_hour; i.e., you can't currently
|
|
|
|
## have a blocked time in the middle of the day.
|
|
|
|
## ----------------------------------------------------------------------
|
|
|
|
|
|
|
|
## List all client addresses you'd like to restrict. Separate multiple with spaces.
|
|
|
|
timerestricted_addresses='192.168.1.101 192.168.1.102'
|
|
|
|
|
|
|
|
## Hour of day to remove the restriction.
|
|
|
|
wake_hour=06
|
|
|
|
|
|
|
|
## Hour of day to activate the restriction.
|
|
|
|
sleep_hour=23
|
|
|
|
|
|
|
|
## ----------------------------------------------------------------------
|
|
|
|
## ----------------------------------------------------------------------
|
|
|
|
## ----------------------------------------------------------------------
|
|
|
|
|
|
|
|
myrule="FORWARD -i br0 -j TIMERESTRICT"
|
|
|
|
|
|
|
|
## report on blocks if rule exists
|
|
|
|
iptables -C $myrule 2>/dev/null && iptables -vL TIMERESTRICT | logger
|
|
|
|
|
|
|
|
echo "Setting up timerestrict firewall rules between $sleep_hour:00 and $wake_hour:00"
|
|
|
|
|
|
|
|
## initial setup
|
|
|
|
iptables -N TIMERESTRICT_LOGNDROP 2>/dev/null
|
|
|
|
iptables -F TIMERESTRICT_LOGNDROP 2>/dev/null
|
|
|
|
iptables -A TIMERESTRICT_LOGNDROP -m limit --limit 1/hour --limit-burst 1 -j LOG --log-prefix "TIMERESTRICT BLOCK: "
|
|
|
|
iptables -A TIMERESTRICT_LOGNDROP -j REJECT --reject-with icmp-net-prohibited
|
|
|
|
|
|
|
|
iptables -N TIMERESTRICT 2>/dev/null
|
|
|
|
iptables -F TIMERESTRICT 2>/dev/null
|
|
|
|
for ip in $timerestricted_addresses; do
|
|
|
|
iptables -A TIMERESTRICT -s $ip -j TIMERESTRICT_LOGNDROP
|
|
|
|
done
|
|
|
|
|
|
|
|
myrule="FORWARD -i br0 -j TIMERESTRICT"
|
|
|
|
|
|
|
|
## install or remove rule based on current time and whether the rule already exists
|
|
|
|
if [ $(date +%H) -ge $sleep_hour ]; then
|
|
|
|
logger "TIMERESTRICT: Activating sleep time"
|
|
|
|
iptables -C $myrule 2>/dev/null || iptables -I $myrule
|
|
|
|
elif [ $(date +%H) -ge $wake_hour ]; then
|
|
|
|
logger "TIMERESTRICT: Activating awake time"
|
|
|
|
iptables -C $myrule 2>/dev/null && iptables -D $myrule
|
|
|
|
fi
|
|
|
|
|
|
|
|
## setup cron job to activate/deactivate on time of day
|
|
|
|
echo "00 $sleep_hour * * * $(readlink -f $0)" >/etc/cron.d/iptables_timerestrict
|
|
|
|
echo "00 $wake_hour * * * $(readlink -f $0)" >>/etc/cron.d/iptables_timerestrict
|
|
|
|
## Format: <minute> <hour> <day> <month> <dow> <tags and command>
|
|
|
|
/etc/init.d/crond restart
|
|
|
|
|
|
|
|
echo "Done with firewall rule setup:"
|
|
|
|
echo "-------------------------------------------------------------------"
|
|
|
|
iptables -vL FORWARD | egrep '(Chain|pkts|TIMERESTRICT)'
|
|
|
|
echo ...
|
|
|
|
iptables -vL TIMERESTRICT
|
|
|
|
iptables -vL TIMERESTRICT_LOGNDROP
|
|
|
|
echo
|