Hi all,

I got following issue in my project.. I have added the iptables timeout support in my project.

But having following issue.

System Firewall: Second rule is not getting executed when we give different timeouts for the same ip address.
Description : Steps To Reproduce:

1.try following command to block a client form 13 to 16

iptables -A INPUT -s 10.0.6.191 -m time --kerneltz --datestart 2014-2-11T13 --datestop 2014-2-11T16 -j DROP

2.Try the following command to accept the same client from 13.30 to 14

iptables -A INPUT -s 10.0.6.191 -m time --kerneltz --datestart 2014-2-11T13:30 --datestop 2014-2-11T14 -j ACCEPT
Actual Result:

First rule only got executed. (i.e) the client ip is blocked from 2/11/2014 13 to 2/11/2014 16.

Second rule not executed.
Expected Result:

Since the 2 rules differs with timeout, both rules should get executed. (i.e)the client ip should be blocked from 2/11/2014 13 to 2/11/2014 13:30 and 2/11/2014 14 to 2/11/2014 16 It should be accessible in the time period 2/11/2014 13:00 to 2/11/2014 13.30

Kindly tell the cause why the second rule did not executed.

I know it filter the packets.but what makes a packet unique like the ip,port or what . My understanding is once a packet get executed.iptables will not execute any rules for same packet.

But what makes a packet for iptables. and how can we tell this rule is not executed due to this reason..

Thanks

Nope. Netfilter uses a "first match wins" strategy so once it hits a "decision" the next rule won't trigger.


Use logging and in your case ensure there's no time frame overlap. *FWIW also there is (or at least used to be) an iptables module that allowed for querying a /proc entry to make a decision. This means you could use say a cron job or other input to flip access on or off.

1 members found this post helpful.

Thanks for the reply it helped.

Then please mark the thread "solved".