# Advanced IP-Tables, blocking users depending on time?

## Detraw

Hi, I have a linux server running for a while now with ip-tables to share the internet to several computers (NAT). Now I wish to only give access to specific MAC-addresses on specific times, example: MAC1 only have access to port80 between 08:00-18:00 the rest of the tima it has access to all ports. (I hope you understand what I meen ;D )

Someone told me that it could be done with ip-tables, but I cant find any info on how to implement it  :Sad: 

Does someone know how it can be done with ip-tables and can tell me, or have a link på a good webpage. Or does anyone know how to do it with something else then ip-tables

Best regards

Daniel

----------

## larand54

I use /etc/crontab. It looks like this:

```

mars root # cat /var/spool/cron/crontabs/root

# /etc/crontab

# 20 Apr 2002; Thilo Bangert <bangert@gentoo.org>

# $Header: /var/cvsroot/gentoo-x86/sys-apps/dcron/files/crontab,v 1.6 2004/07/18 04:33:20 dragonheart Exp $

# fcron || dcron:

# This is NOT the system crontab! fcron and dcron do not support a system crontab.

# to get /etc/cron.{hourly|daily|weekly|montly} working with fcron or dcron do

# crontab /etc/crontab

# as root.

# NOTE: This will REPLACE root's current crontab!!

# check scripts in cron.hourly, cron.daily, cron.weekly and cron.monthly

*/15 * * * *     test -x /usr/sbin/run-crons && /usr/sbin/run-crons >/dev/null

0  *  * * *      rm -f /var/spool/cron/lastrun/cron.hourly >/dev/null

0  3  * * *      rm -f /var/spool/cron/lastrun/cron.daily >/dev/null

15 4  * * 6      rm -f /var/spool/cron/lastrun/cron.weekly>/dev/null

30 5  1 * *      rm -f /var/spool/cron/lastrun/cron.monthly>/dev/null

0 *  * * * *  root    /etc/cron.hourly>/dev/null

45 3  * * * * root   /etc/cron.daily>/dev/null

45 4  * * * 0 root   /etc/cron.weekly>/dev/null

45 4  1 * * * root   /etc/cron.monthly>/dev/null

0 19 * * 1-4,0  /etc/cron.iptables/pluto.reject

0 17 * * 1      /etc/cron.iptables/pluto.accept

0 21 * * 5,6    /etc/cron.iptables/pluto.reject

30 16 * * 2-5   /etc/cron.iptables/pluto.accept

30 08 * * 6,0   /etc/cron.iptables/pluto.accept

```

You can see the entries for iptables and they look like this

/etc/cron.iptables/pluto.reject

```

mars root # cat /etc/cron.iptables/pluto.reject

/sbin/iptables -R lan_group 1 -s pluto -j REJECT

```

/etc/cron.iptables/pluto.accept

```

mars root # cat /etc/cron.iptables/pluto.accept

/sbin/iptables -R lan_group 1 -s pluto -j ACCEPT

```

In the iptables config - the lan_group is used like this

```

$IPTABLES -A FORWARD -i $LAN_IFACE -j lan_group

```

In the table lan_group I have specified the rules for all computers at the lan.

And that works perfect.

This example only concerns one computer, if you have many computers with different timesettings you need a crontab entry for each computer or time group if you can group them.

----------

## Detraw

oh, thanks alot...

hmm but I didnt get it all  :Sad:  this line in your crontab how does it work?

```

0 19 * * 1-4,0  /etc/cron.iptables/pluto.reject 

```

is it the time and date that this file should be run?

0 19 ** 1-4,0 <--- which time and date does this meen? is it between 01:00 to 04:00?

Best regards

Daniel

----------

## MrUlterior

"man crontab" would tell you that, the 5 fields before the command in order of occurence mean:

 *Quote:*   

> 
> 
> Minute              0-59
> 
> Hour                 0-23
> ...

 

Therefore "1-4,0" means everyday excluding Friday and Saturday, or more literally: Monday till Thursday, and Sunday

The "0 19" means at 19h00 on those days.

----------

## swanson

Don't use cron, use the time match in iptables. Assuming you have a deny policy the following should do.

To allow access to port 80 only during your defined time on weekdays:

$ iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -p tcp --dport 80 -j ACCEPT

To allow unrestricted access at all other times and the weekend;

$ iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -m time --timestart 18:00 --timestop 8:00 -j ACCEPT

$ iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -m time --days Sat,Sun -j ACCEPT

----------

## Detraw

ok thanks, Im at work right now so I didnt have any linux computer to run a man on.....

Ill try to implement it all later when I get home.

but how do I do this depending on MAC addresses?

Best Regards

Daniel

----------

## larand54

 *swanson wrote:*   

> Don't use cron, use the time match in iptables. Assuming you have a deny policy the following should do.
> 
> 

 

That's real nice  :Very Happy: . I asked for that function for a while ago didn't got a positive answer. Does it need any special module to work?

----------

## Detraw

swanson >> damn thats a nice way to do it, I think Im gonna go your way instead  :Smile: 

----------

## larand54

 *Detraw wrote:*   

> 
> 
> but how do I do this depending on MAC addresses?
> 
> 

 

From MAN-pages:

```

   mac

       --mac-source [!] address

              Match  source  MAC  address.    It   must   be   of   the   form

              XX:XX:XX:XX:XX:XX.   Note that this only makes sense for packets

              coming from an Ethernet device and entering the PREROUTING, FOR-

              WARD or INPUT chains.

```

I was going to recommend swanssons method for you but I se now I don't need it. :Very Happy: 

Call back and set SOLVED at the end of the subject when youre satisfied.Last edited by larand54 on Wed Jun 01, 2005 2:59 pm; edited 1 time in total

----------

## Detraw

yeah I just saw that in his example  :Smile: 

----------

## swanson

Hmm, the time match is in the man page for iptables which is normally be created depending on the actual modules in the kernel so I thought it was in the kernel. However the Gentoo build doesn't do this (unless an "extensions" USE flag is set) and it's not actually in 2.6.11 or to be in 2.6.12.

I don't know if it is in the Gentoo kernels because I build my own. If it is, ignore everything below this point.  :Wink: 

The patch for time match is available via the patch-o-matic at http://www.netfilter.org/. IIRC it's a pain in the tonsils to apply as you need iptables source to patch along with the kernel. I'd extracted iptables under /tmp and run the runme script in patch-o-matic.

$ tar xjf /usr/portage/distfiles/iptables-1.2.11.tar.bz2 -C /tmp

$ ./runme time KERNEL_DIR=/usr/src/linux-<whereever> IPTABLES_DIR=/tmp/iptables-1.2.11

After patching chose the time module in the kernel config, build and install the modules. The reemerge iptables with the extension USE flag.

Sorry if this makes it a bit tricker. Depending on your experience the cron method may be easier for now.

----------

## Detraw

I think it will be worth it.... Ill try it out as soon as I have some time, (like on saturday)

Thanks again

/Daniel

----------

## Detraw

Hi,

After a minor bumps in the road I have updated iptables to the newest version. But I cant find the patch for the time match at their homepage, does anyone have a direct link?

And where in the menu (make menuconfig) should I find the option to enable time match (after I have patched it)?

Thanks

Daniel

----------

## Detraw

I could realy use your help, I have tried all that I can....

----------

## Detraw

Ok so I manage to install patch-o-matic, but I still cant find the time patch, does anyone know where to find it? the command swanson mentioned ($ ./runme time KERNEL_DIR=/usr/src/linux-<whereever> IPTABLES_DIR=/tmp/iptables-1.2.11) doesnt work  :Sad:  what should I do??

----------

## MrUlterior

Set CONFIG_IP_NF_MATCH_TIME to "Y" or "M" in your kernel config & then build & install your modules.

Check that your kernel is correctly patched with:

```
egrep /usr/src/linux/.config 'CONFIG_IP_NF_MATCH_TIME'
```

----------

## Detraw

as I said I cant find the time patch, so I havent patched my kernel yet, there fore I cant enable the option in my kernel...

I think the problem is that I dont have the latest version of patch-o-matic, I had to download it manualy because when I try to access there CVS server, it says connection failed when Im trying to enter the public password ('cvs')

Does anyone know what the latest version of patch-o-matic is, and where to get it?

----------

## Detraw

ok I tried it with the iptables version 1.3.1 and now it works, thanks you guys...

/Daniel

----------

## mbello

Please, then add [SOLVED] to the topic subject

----------

## Detraw

hmmm apperently it still doesnt work, doh  :Sad: 

I found the option to build in time match in the kernel, and so I did, after copying the new kernel to /boot and reboot of the system, I still get this:

```

# iptables -m time

iptables v1.3.1: Couldn't load match `time':/lib/iptables/libipt_time.so: cannot

 open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information

```

what have I missed??

----------

## Detraw

ok so I have gave up on trying to use -m time in iptables, and trying to use the crontab way instead...

but I get this error in my iptables config file:

```

# iptables -A FORWARD -i $LAN_IFACE -j lan

Warning: wierd character in interface `-j' (No aliases, :, ! or *).

Bad argument `lan'

Try `iptables -h' or 'iptables --help' for more information.

```

What am I doing wrong? should I declare 'lan' somewhere else?

/Daniel

----------

## MrUlterior

You need to create a new chain named "lan" before you can jump packets into it ...

```

iptables -N lan

```

Suggest you read Rusty Russell's very excellent introduction to packet filtering:

http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html if you're having trouble with the iptables man page.

Regarding the missing time module, it would appear that you either compiled it as a module and didn't modprobe it before attempting to use it, or alternatively you didn't "make modules_install" after building your kernel.

----------

## Detraw

well I have tried to compile it in to the kernel, and I did a

```

make dep && make bzImage modules modules_install

```

I also tried to compile it as a module, but I couldnt fint the module name to modprobe  :Sad: 

do you have anyother ideés? couse I realy want to use the iptables -m time instead of crontab...  :Sad: 

Thanks

/Daniel

----------

## MrUlterior

Do you find the module when you execute:

```

find /lib/modules/ -name "libipt_time.so" -type f

```

To me the path your modules are being searched for is incorrect, it should be something like /lib/moduiles/<kernel version>/kernel/drivers/net/ipv4/nf/*.so or something similar. This would suggest that your patching or kernel installation is somehow at fault.

----------

## Detraw

Im recompiling my kernel now with time match support as a module...

with the command you gave me I found nothing, and in my /lib/modules/2.4.20-gentoo-r5/kernel/drivers/net path I only have a file called dummy.o

 :Sad: 

Im thinking that maby something goes wrong during the compile och bootup, is there a way to se if the time match thing is enabled in the running kernel?

----------

## jamapii

 *Detraw wrote:*   

> /lib/modules/2.4.20-gentoo-r5/kernel/drivers/net 

 

Maybe you need a more recent kernel. The command "uname -r" shows the version you are running.

I think the crontab way is an equally valid method.

----------

