what is the --kerneltz in iptables command.

pradiptart · 05-16-2013, 08:00 AM

Hi all,
I am using iptables for my project but facing some problem as follow.

1.in iptables 1.4.7

Quote:

iptables -A INPUT -s 10.0.4.247 -m time --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

or

Quote:

iptables -A INPUT -s 10.0.4.247 -m time --localtz --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

output of date command

Thu May 16 15:52:11 IST 2013

both the commands above is not working. As i can able to ping form 10.0.4.247 to the machine.

why this is not working as default it should be --localtz.(man page of iptables v 1.4.7)

2.in iptables v 1.4.12

Quote:

iptables -A INPUT -s 10.0.4.247 -m time --kerneltz --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

This is working as I am not able to ping from the ip 10.0.4.247

Quote:

iptables -A INPUT -s 10.0.4.247 -m time --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

This rule by default set to follow UTC timezone but in man page it showing,the default is --kerneltz.[man of iptables v1.4.12]

can any one tell me what is problem with the iptables ,I need to block some ip/port for a specified time duration,but unable find what to do.

what is actually meaning of --kerneltz and is it safe to use this.

kindly tell some answer

Thanks

TB0ne · 05-16-2013, 10:52 AM

Quote:

Originally Posted by pradiptart

Hi all,
I am using iptables for my project but facing some problem as follow.

1.in iptables 1.4.7
both the commands above is not working. As i can able to ping form 10.0.4.247 to the machine. why this is not working as default it should be --localtz.(man page of iptables v 1.4.7)

Again, trying to look things up first is a good idea. That version of iptables interprets time as UTC by default. So, figure out your time zone offset, and adjust the times accordingly. Also, the time is passed as 24 hour time.

Quote:

2.in iptables v 1.4.12
This is working as I am not able to ping from the ip 10.0.4.247 This rule by default set to follow UTC timezone but in man page it showing,the default is --kerneltz.[man of iptables v1.4.12]

can any one tell me what is problem with the iptables ,I need to block some ip/port for a specified time duration,but unable find what to do.
what is actually meaning of --kerneltz and is it safe to use this.

If you did read the man pages/documentation, you'd have seen what the --kerneltz option is and what it means:

Quote:

Originally Posted by IPTables Docs

Code:

--kerneltz           Work with the kernel timezone instead of UTC

The caveat with the kernel timezone is that Linux distributions may ignore to set the kernel timezone,
and instead only set the system time. Even if a particular distribution does set the timezone at boot, it
is usually does not keep the kernel timezone offset - which is what changes on DST - up to date.
ntpd will not touch the kernel timezone, so running it will not resolve the issue. As such, one may encounter a
timezone that is always +0000, or one that is wrong half of the time of the year.
As such, using --kerneltz is highly discouraged.

And again, you are not running the latest version of iptables.

pradiptart · 05-17-2013, 02:00 AM

Thanks for answer,
I will go with UTC as I have to use the older (v1.4.8) of iptables so no use of --kerneltz in that version as it is not present there.

Still I want ask UTC is fine or not.Is it guarenty the rule to apply or any problem in this version of iptables(v1.4.8).

Kindly tell .

Thanks

TB0ne · 05-17-2013, 09:48 AM

Quote:

Originally Posted by pradiptart

Thanks for answer,
I will go with UTC as I have to use the older (v1.4.8) of iptables so no use of --kerneltz in that version as it is not present there.

Still I want ask UTC is fine or not.

UTC is just a time...why would it not be 'fine'???

Quote:

Is it guarenty the rule to apply or any problem in this version of iptables(v1.4.8). Kindly tell .

Kindly go read the documentation, as you've been directed to before. Again, the 1.4.8 is SEVERAL versions behind, so if you're concerned about problems, then UPDATE IT.

pradiptart · 05-22-2013, 06:28 AM

Hi,

Thanks for you answer ,

I have some problem with iptables v1.4.7 as follows

Quote:

iptables -A INPUT -s 10.0.4.247 -m time --utc --datestart 2013-5-22T8 --datestop 2013-5-22T11 -j DROP

The above command is not working as I can able to ping form the source Ip

the out put of time as follow in UTC
# date -u
Wed May 22 10:18:15 UTC 2013

Even I used UTC still it is not working in v1.4.7.

I have some dependencies to upgrade to latest.I have to use old one.
Is any thing that I am missing ,setting any value in kernel or any config file before using this utc option.

Kindly give some inputs.
Thanks

TB0ne · 05-22-2013, 10:12 AM

Quote:

Originally Posted by pradiptart

Hi,
I have some problem with iptables v1.4.7 as follows

Code:

iptables -A INPUT -s 10.0.4.247 -m time --utc --datestart 2013-5-22T8 --datestop 2013-5-22T11 -j DROP

The above command is not working as I can able to ping form the source Ip

the out put of time as follow in UTC
# date -u
Wed May 22 10:18:15 UTC 2013

Even I used UTC still it is not working in v1.4.7. I have some dependencies to upgrade to latest.I have to use old one. Is any thing that I am missing ,setting any value in kernel or any config file before using this utc option.
Kindly give some inputs.

Well, if you have dependencies to upgrade, then UPGRADE THEM. Again, you need to upgrade to the latest version...from what you've posted, you're using THREE different versions on different machines, none of which is the latest, and one of which you upgraded to another old version(???).

And again, did you read the man page?? The --datestart option is NOT specified correctly.

Quote:

Originally Posted by iptables man page

--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

Only match during the given time, which must be in ISO 8601 "T"
notation. The possible time range is 1970-01-01T00:00:00 to
2038-01-19T04:17:07.

Do you see anyplace where you specify the minutes and seconds?? Have you tried specifying it? Tried setting just the day and the time separately?