LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Debian (https://www.linuxquestions.org/questions/debian-26/)
-   -   iptables time modul (https://www.linuxquestions.org/questions/debian-26/iptables-time-modul-935075/)

tech_soul8 03-18-2012 07:12 AM
iptables time modul
 
Hello folks! I've got Debian Squeeze and I want to block OUTPUT web traffic from 12:00 to 13:00 with iptables. The problem is that time matcihg module works only if I specified it with --datestart yy:mm:ddT:hh:mm:ss and if I specifiy it just like hh:mm than iptables doesn't match the rule.
For example:

Iptables won't match this rule and outgoing web traffic is still allowed in time given range.

iptables -A OUTPUT -p tcp -m state --state NEW -m time --timestart 12:00 --timestop 13:00 -m tcp --dport 80 -j DROP.

Iptables match this rule and outgoing web traffic is blocked:

iptables -A OUTPUT -p tcp -m state --state NEW -m time --datestart yy:mm:ddT12:00:00 --datestop yy:mm:ddT13:00:00 -m tcp --dport 80 -j DROP.

Any help??

eSelix 03-18-2012 07:28 AM
For me it works without --datestart. Show all rules "iptables -L".

tech_soul8 03-18-2012 09:55 AM
# Generated by iptables-save v1.4.8 on Sun Mar 18 15:53:21 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:firewall-eth0-INPUT - [0:0]
-A INPUT -j firewall-eth0-INPUT
-A FORWARD -j firewall-eth0-INPUT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m time --timestart 12:00:00 --timestop 13:00:00 -m tcp --dport 80 -j DROP
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A OUTPUT -s 192.168.200.17/32 -d 192.168.200.30/32 -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -j LOG --log-prefix "fw-eth0-out-rejected"
-A OUTPUT -p udp -j LOG --log-prefix "fw-eth0-out-rejected"
-A OUTPUT -j DROP
-A firewall-eth0-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A firewall-eth0-INPUT -i lo -j ACCEPT
-A firewall-eth0-INPUT -p icmp -m icmp --icmp-type any -m limit --limit 3/sec -j ACCEPT
-A firewall-eth0-INPUT -j DROP
COMMIT
# Completed on Sun Mar 18 15:53:21 2012

That's complete iptables config.

eSelix 03-18-2012 05:47 PM
I don't see nothing wrong. I tested it on my own PC and it works as excepted. Are you sure you test it on a new connections, ex. after closing all internet browser instances?

I am using iptables v1.4.10 - maybe try updating.

tech_soul8 03-19-2012 08:26 AM
Yes I tryed that. I'll try to update iptables maybe that is what is causinng the problem :-)

tech_soul8 03-19-2012 10:18 AM
Quote:
Originally Posted by eSelix (Post 4630053)
I don't see nothing wrong. I tested it on my own PC and it works as excepted. Are you sure you test it on a new connections, ex. after closing all internet browser instances?

I am using iptables v1.4.10 - maybe try updating.
I tryed to update iptables using package manager (aptitude) but there is no newer version than this. My system is up to date! Maybe you're using sid version, I'm on debian squeeze stable


All times are GMT -5. The time now is 02:59 PM.