LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 03-18-2012, 07:12 AM   #1
tech_soul8
Member
 
Registered: Aug 2011
Posts: 75

Rep: Reputation: Disabled
iptables time modul


Hello folks! I've got Debian Squeeze and I want to block OUTPUT web traffic from 12:00 to 13:00 with iptables. The problem is that time matcihg module works only if I specified it with --datestart yy:mm:ddT:hh:mm:ss and if I specifiy it just like hh:mm than iptables doesn't match the rule.
For example:

Iptables won't match this rule and outgoing web traffic is still allowed in time given range.

iptables -A OUTPUT -p tcp -m state --state NEW -m time --timestart 12:00 --timestop 13:00 -m tcp --dport 80 -j DROP.

Iptables match this rule and outgoing web traffic is blocked:

iptables -A OUTPUT -p tcp -m state --state NEW -m time --datestart yy:mm:ddT12:00:00 --datestop yy:mm:ddT13:00:00 -m tcp --dport 80 -j DROP.

Any help??
 
Old 03-18-2012, 07:28 AM   #2
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,263

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
For me it works without --datestart. Show all rules "iptables -L".
 
Old 03-18-2012, 09:55 AM   #3
tech_soul8
Member
 
Registered: Aug 2011
Posts: 75

Original Poster
Rep: Reputation: Disabled
# Generated by iptables-save v1.4.8 on Sun Mar 18 15:53:21 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:firewall-eth0-INPUT - [0:0]
-A INPUT -j firewall-eth0-INPUT
-A FORWARD -j firewall-eth0-INPUT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m time --timestart 12:00:00 --timestop 13:00:00 -m tcp --dport 80 -j DROP
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A OUTPUT -s 192.168.200.17/32 -d 192.168.200.30/32 -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -j LOG --log-prefix "fw-eth0-out-rejected"
-A OUTPUT -p udp -j LOG --log-prefix "fw-eth0-out-rejected"
-A OUTPUT -j DROP
-A firewall-eth0-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A firewall-eth0-INPUT -i lo -j ACCEPT
-A firewall-eth0-INPUT -p icmp -m icmp --icmp-type any -m limit --limit 3/sec -j ACCEPT
-A firewall-eth0-INPUT -j DROP
COMMIT
# Completed on Sun Mar 18 15:53:21 2012

That's complete iptables config.
 
Old 03-18-2012, 05:47 PM   #4
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,263

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
I don't see nothing wrong. I tested it on my own PC and it works as excepted. Are you sure you test it on a new connections, ex. after closing all internet browser instances?

I am using iptables v1.4.10 - maybe try updating.

Last edited by eSelix; 03-18-2012 at 05:50 PM.
 
Old 03-19-2012, 08:26 AM   #5
tech_soul8
Member
 
Registered: Aug 2011
Posts: 75

Original Poster
Rep: Reputation: Disabled
Yes I tryed that. I'll try to update iptables maybe that is what is causinng the problem :-)
 
Old 03-19-2012, 10:18 AM   #6
tech_soul8
Member
 
Registered: Aug 2011
Posts: 75

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by eSelix View Post
I don't see nothing wrong. I tested it on my own PC and it works as excepted. Are you sure you test it on a new connections, ex. after closing all internet browser instances?

I am using iptables v1.4.10 - maybe try updating.
I tryed to update iptables using package manager (aptitude) but there is no newer version than this. My system is up to date! Maybe you're using sid version, I'm on debian squeeze stable
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
modul to compile just 4 booting @d4M Linux From Scratch 2 10-19-2008 02:34 AM
Load kernel modul for DVB-T card hansalfredche Mandriva 2 03-18-2007 06:49 AM
anyone tried Webmin VSFTPD Modul??? g_srinivas Linux - Newbie 5 02-20-2006 06:59 AM
hisax modul Celphi Linux - Software 0 04-21-2004 09:58 AM
Driver modul won't load - CONFIG_MODVERSION in the way Gibsonist Linux - Hardware 0 03-14-2004 02:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 10:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration