6

How to control internet time access for each IP?

How to add time to this rule: iptables -I FORWARD -s 192.168.0.56 -j ACCEPT?

I tried this 

iptables -I FORWARD -s 192.168.0.56 -m time --timestart 13:00 --timestop 14:00 -j ACCEPT

and 

iptables -I FORWARD -s 192.168.0.56 --match time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 09:00 --timestop 10:00 -j ACCEPT

but it doesn't work

Maybe there is another way to do it?

Operating system: Ubuntu 18.04.4 LTS

root@router:/home/wlodek# iptables -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  192.168.0.56         anywhere             TIME from 09:00:00 to 10:00:00 on Mon,Tue,Wed,Thu,Fri UTC
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

IP: 192.168.0.56 - has a connection iptables -I FORWARD -s 192.168.0.56 -j ACCEPT

IP: 192.168.0.56 - no connection iptables -I FORWARD -s 192.168.0.56 -j ACCEPT + time

Mantykora 7
  • 85
  • What exactly does not work? Can you see your rule when listing the chain iptables -L FORWARD? – Jonas Feb 25 '20 at 08:38
  • @Jonas -> When I add time to rule 'iptables -I FORWARD -s 192.168.0.71 -j ACCEPT' -> at all, no internet connection. – Mantykora 7 Feb 25 '20 at 08:47
  • 1
    I assume you're doing this on a routing device. As you wrote the rule 192.168.0.56 to only allow traffic between 9 and 10 it seems reasonable that the traffic outside this window will be blocked. Run date -u on your router to make sure your trying to connect inside the right time-frame. – Jonas Feb 25 '20 at 09:22
  • @Jonas date and date -u show different dates:)! – Mantykora 7 Feb 25 '20 at 10:02
  • See my answer. Hope it helps. – Jonas Feb 25 '20 at 10:25
  • @Jonas Thank you very much !!:):)!! – Mantykora 7 Feb 25 '20 at 10:33

1 Answers1

8

iptables is working with UTC time not your local time.

Try the following formula:

iptables -I FORWARD -s 192.168.0.56 --match time --weekdays Mon,Tue,Wed,Thu,Fri --timestart $(date -u -d @$(date "+%s" -d "09:00") +%H:%M) --timestop $(date -u -d @$(date "+%s" -d "10:00") +%H:%M) -j ACCEPT

This converts your local start and end time to UTC before handing it over to iptables.

Of course you can replace start time 09:00 and end time 10:00 by any other time.

Jonas
  • 544
  • Does this also work on Monday morning/Friday afternoon? Because if it is still Sunday according to UTC/already Saturday will it even get to the converted times or will it be blocked by the filter on the weekday? – Graipher Feb 25 '20 at 19:29
  • 1
    @Graipher I expect the --weekdays flag to be in UTC, too. Therefor the converted time will always be considered to be on the specified --weekdays. Depending on your time zone and time difference to UTC it might make sense to adjust --weekdays. e.g. if you want to enable a rule Mondays between 2am and 3am and you're 4 hours ahead of UTC the converted time will be 22pm on Sunday. Therefore it would be wise to set --weekdays to Sun instead of Mon even when its enabled on Monday at 2am in your local time zone. Otherwise you would have an offset of 24h minus your time difference to UTC. – Jonas Feb 26 '20 at 15:28
  • doen't work on ubuntu 20.04 – acgbox Aug 27 '21 at 19:57