My goal is to set some iptables time zone rules based on local time, which, although it seems to me an obvious use case for time based rules, it seems not so easy to implement.

Iptables extension manual explains the issues with using the option kerneltz, which refers to "kernel time zone", and warns that many distribution will fail to set it or maintain it properly. In fact, in my case, using it seems not to make any difference as not using it, i.e. my filter rules always act with respect to UTC.

I run Linux Arch and I have full control of my system (i.e. I can run any custom made init or cron script I want), but I do not understand how to set properly this "kernel time zone", so that my iptables rules may work correctly.

I read the hwclock user guide and found an option --systz which might be what I need, but I feel I don't have a good understanding of the distinction about the various time existing on the system to use it safely.

If I understand correctly, there are 3 times:
- system time and time zone (manipulated via the date command)
- CMOS time (manipulated via the hwclock command)
- kernel time and timezone

1) How can I access and manipulate the kernel time and time zone?
2) I use ntp, to keep the system time up to date. What is the most recommended setup with respect to the other 2 times?

There are two clocks on your system, the hardware clock (run by the CMOS battery when the system is turned off) and the system clock (which is software run by kernel interrupts).

Typically, the system clock is set by the hardware clock at boot and, on system shutdown, the system clock time is written to the hardware clock.

Also typically, the system clock is kept synchronized by Network Time Protocol (NTP), a daemon that is started during boot (after the system clock is set). NTP synchronizes with either an external time server, referenced back to an so-called "atomic clock" or to a hardware clock on your LAN that uses GPS or radio clock signals (such as, in the US and Canada) WWV. If you're using NTP, you define three Internet pool time servers which NTP evaluates and determines the quality of the servers and chooses the best one (every so often NTP re-evaluates and may throw out one, two or all three pool servers and selects more from the available pool servers, evaluates the best of those and synchronizes to it.

The pool servers are defined in /etc/ntp.conf like this:
You do not want to specify one of the "atomic" clock servers, that's a no-no.

You also define a "fudge" server, actually you own system clock, to synchronize itself to when there is no Internet available (we had heavy wet snow last night, my satellite dish was covered with it, no signal until I went out and brushed it off and the Internet became available again -- NTP synchronized to the system clock and, when the 'Net came back, it synchronized with the external time serves).

A "fudge" server is defined like this:
That permits the fall-back when there is no external synchronization available.

You can set your hardware clock to local time, you can also set it to UTC: you are encouraged to set the hardware clock to UTC and set your system clock to your local time zone. Software controls the switch to and from daylight savings time, summer time or whatever it's called where your system lives. The switch dates are known, they're in your system software and you don't have to fiddle with anything.

So, what's kernel time? It's system time, kept synchronized by NTP.

NTP does a great job of keeping everything on time and running smoothly.

So, for your purposes, simply use the time and date utilities (or system calls) to get the current time accurately (if you're using NTP, that is -- otherwise things wander all over the place). What NTP does is nudge your system time into accuracy by slowly (like over a week or two or three) adjusting the value stored in /etc/ntp/drif (that changes the longer NTP runs) to keep things pretty darned close (like a few milliseconds or so).

And, again, when you shut down the accurate system time is written to the hardware clock and when you boot, the system time is initially set from that and NTP takes over and synchronizes with an external time source and there you go.

Hope this helps some.

This thread is a little old but was top of my search for the same issue as OP.

The system in question is Debian Buster ('testing' at time of post).
HW clock is set to UTC.
'date' command shows system time correctly as local (UTC +13).

The --kerneltz & --utc parameters to the iptables rule BOTH produce rules that fire at UTC time, rather than LOCAL, as would be expected for the first.

After issuing '/sbin/hwclock --hctosys' the --kerneltz parameter works as expected.

Digging a little further unearthed this bug report (https://bugs.debian.org/cgi-bin/bugr...cgi?bug=855203) showing some issues around correctly setting kernel time zone at boot time.

Without wading through that pile, I rather inelegantly "solved" my issue by adding an @reboot system cron entry to run /sbin/hwclock --hctosys
It may at some point become redundant, but it won't hurt in any case.