How can I limit internet access by time on Linux?
September 3, 2020 3:27 PM Subscribe
I'd like to turn my wifi off (in Linux) except at specific times of day, and make it at least moderately difficult to turn back on. This is proving surprisingly difficult.
Trying to set this up on computers running Debian derivatives (recent versions of Ubuntu and Mint). My wifi router is shared with other people, so I can't change it's settings. This has to be done on the computers.
Tried cron, discovered that it won't run jobs if the computer was turned off at the time they were scheduled for. Installed fcron from source, which seems to address that issue pretty well - it apparently runs any jobs that were missed after the computer turns back on. It's not ideal, but it works well enough for now. So I can schedule commands to turn the wifi on and off, but...
Everything I've tried so far still allows the wifi to be turned on again from the network manager applet. Things I have tried:
- nmcli
- rfkill block/unblock
- ifup / ifdown
- ip link set dev [device] up/down
In every case, I can still click the little "network disconnected" icon and turn wifi back on. If I could figure out a workaround for that or a way to make that icon disappear when the wifi is off, that would suit my needs.
Even if I can turn wifi back on by opening a terminal and running "sudo [command]" , that's adequate obfuscation. But having an on switch right there in the GUI is just too easy.
Any ideas?
Trying to set this up on computers running Debian derivatives (recent versions of Ubuntu and Mint). My wifi router is shared with other people, so I can't change it's settings. This has to be done on the computers.
Tried cron, discovered that it won't run jobs if the computer was turned off at the time they were scheduled for. Installed fcron from source, which seems to address that issue pretty well - it apparently runs any jobs that were missed after the computer turns back on. It's not ideal, but it works well enough for now. So I can schedule commands to turn the wifi on and off, but...
Everything I've tried so far still allows the wifi to be turned on again from the network manager applet. Things I have tried:
- nmcli
- rfkill block/unblock
- ifup / ifdown
- ip link set dev [device] up/down
In every case, I can still click the little "network disconnected" icon and turn wifi back on. If I could figure out a workaround for that or a way to make that icon disappear when the wifi is off, that would suit my needs.
Even if I can turn wifi back on by opening a terminal and running "sudo [command]" , that's adequate obfuscation. But having an on switch right there in the GUI is just too easy.
Any ideas?
Oh, I should add, the above was quite a long time ago, so the details might be different now, but the concept of renaming the executable behind the icon to intentionally break it might still work.
posted by smcameron at 4:25 PM on September 3, 2020
posted by smcameron at 4:25 PM on September 3, 2020
I know you said your Wi-Fi router is shared, but do you have access to the settings at all? Some routers have a timed access control feature, which will allow you to restrict certain devices on your network to certain times of day. This is done by MAC address.
posted by vitout at 4:31 PM on September 3, 2020 [1 favorite]
posted by vitout at 4:31 PM on September 3, 2020 [1 favorite]
Best answer: Iptables Restricting Access By Time Of The Day - nixCraft
You can use iptables or whatever firewall stuff is used now (netfilter?). I haven't messed with it in a while.
Just use sudo to add a rule that blocks access to your router during a period of time. You'd have to sudo and remove the rule to get around it.
posted by zengargoyle at 6:06 PM on September 3, 2020
You can use iptables or whatever firewall stuff is used now (netfilter?). I haven't messed with it in a while.
Just use sudo to add a rule that blocks access to your router during a period of time. You'd have to sudo and remove the rule to get around it.
posted by zengargoyle at 6:06 PM on September 3, 2020
Best answer: You can do this in cron, but instead of setting up a job that runs once to shut down the network and once to start it up again, write one that executes every minute. That job should check the hour and run 'ip config wlan0 down' ( or nmcli c $whatever_your_wifi_name_is down, or any number of other ways to slice it ) if it's in your no-internet window.
This has the benefit of constantly shutting down the network over and over again rather than just the one time. You can still re-enable it, but one minute later it's down again. It will be so annoying that you might actually give up re-enabling it.
You could combine this with zengargoyles iptables rules suggestion (it could be part of the same every minute cron job script) so that you'll have to do multiple things to get the network back for less than one minute of uptime.
Now if you're really serious about this you'll set the cron job up under root and give your root credential to a housemate with the the stipulation that they change it and won't give you the password unless you hand over $50.
Last, you could set up a second job that also runs every minute, but instead of shutting down the network it tries to ping a remote host. If the ping is successful it sends 100 email messages to your own address reminding you to stay off the network with whatever level of profanity you feel might be influential.
MeMail me if you want direct assistance setting this up ;)
posted by roue at 7:37 PM on September 3, 2020 [2 favorites]
This has the benefit of constantly shutting down the network over and over again rather than just the one time. You can still re-enable it, but one minute later it's down again. It will be so annoying that you might actually give up re-enabling it.
You could combine this with zengargoyles iptables rules suggestion (it could be part of the same every minute cron job script) so that you'll have to do multiple things to get the network back for less than one minute of uptime.
Now if you're really serious about this you'll set the cron job up under root and give your root credential to a housemate with the the stipulation that they change it and won't give you the password unless you hand over $50.
Last, you could set up a second job that also runs every minute, but instead of shutting down the network it tries to ping a remote host. If the ping is successful it sends 100 email messages to your own address reminding you to stay off the network with whatever level of profanity you feel might be influential.
MeMail me if you want direct assistance setting this up ;)
posted by roue at 7:37 PM on September 3, 2020 [2 favorites]
Response by poster: Thanks for the answers! I think between iptables and running cron jobs every minute, this should work quite well! Still getting the rules sorted out, but I'll try to remember to post my crontab when it's done. (-:
posted by sibilatorix at 3:29 PM on September 7, 2020
posted by sibilatorix at 3:29 PM on September 7, 2020
If your timeframe is static, the iptables rule should be all you need... i.e. 'M-F 17:00-21:00 REJECT' sort of thing. If you're thinking of something more dynamic and off the cuff and are considering cron, you might want to also check out the 'at' command.
Ages ago (2010 it seems) I ported the Mac app SelfControl to Linux (Ubuntu/Debian) which was the same sort of thing but just for the particular website sort of thing. "no Facebook for 3 hours" sort of thing. I'd create the rules to block a site with iptables and hosts file, then add an 'at' job that would undo those changes once the time limit had expired.
I'm not sure if iptables had that time function yet, or if I just thought it was too much trouble. I gave up on SelfControl when Ubuntu went to Unity and they botched up their dnsmasq configuration and really my worst mistake was trying to make a desktop GUI app in the first place for a trivially simple CLI thing.
Anyways, it seems you're on the right track but you might be able to use 'at' for a one-time thing vs the 1-minute cron thing.
posted by zengargoyle at 12:07 AM on September 8, 2020
Ages ago (2010 it seems) I ported the Mac app SelfControl to Linux (Ubuntu/Debian) which was the same sort of thing but just for the particular website sort of thing. "no Facebook for 3 hours" sort of thing. I'd create the rules to block a site with iptables and hosts file, then add an 'at' job that would undo those changes once the time limit had expired.
I'm not sure if iptables had that time function yet, or if I just thought it was too much trouble. I gave up on SelfControl when Ubuntu went to Unity and they botched up their dnsmasq configuration and really my worst mistake was trying to make a desktop GUI app in the first place for a trivially simple CLI thing.
Anyways, it seems you're on the right track but you might be able to use 'at' for a one-time thing vs the 1-minute cron thing.
posted by zengargoyle at 12:07 AM on September 8, 2020
« Older Emergency vet or wait until Saturday? | Question about work search records during... Newer »
This thread is closed to new comments.
So it doesn't exactly solve your problem, but it might be a piece of the puzzle, a way to make the icon temporarily not work, and require manual fiddling around in a shell to make it work again.
posted by smcameron at 4:23 PM on September 3, 2020