Help: Multiple Times on Router Messing up iptables

[Sean Rhodes]

I have an Asus RT-AC3200 with 380.68_2 firmware installed. I'm running a firewall-start script on my jffs partition to basically turn off the internet to my kids pc's early on school nights. The problem is they are turning off 4 hours too early.

On the router GUI sys page, my timezone is GMT-5 for EST, when I run the busybox date command from terminal, the time is what I expect.

Can anyone tell me where the iptables pull the time and date from since my rules are starting 4 hours earlier than they should.

As an fyi, when I run Date -R, I get the correct date and time, but when I run DMESG I see this:
xt_time: kernel timezone is -0000
Could that be the issue and if so, how do I set it?

Thanks

 

[ColinTaylor]

If you show us the firewall-start script we might be able to see the problem.

 

[Sean Rhodes]

If you show us the firewall-start script we might be able to see the problem.

OK, in the interim here's my iptables -L output, you will see the rules are in UTC

target prot opt source destination
dropkids all -- anywhere anywhere TIME from 00:00:00 to 08:59:00 on Fri,Sat UTC
dropkids all -- anywhere anywhere TIME from 02:00:00 to 23:59:59 on Fri,Sat UTC
dropkids all -- anywhere anywhere TIME from 00:00:00 to 07:15:00 on Mon,Tue,Wed,Thu,Sun UTC
dropkids all -- anywhere anywhere TIME from 23:30:00 to 23:59:59 on Mon,Tue,Wed,Thu,Sun UTC

 

[Sean Rhodes]

Here's the script:

#!/bin/sh

# uncomment next line to see commands as they are read from this file
# set -v
# uncomment next line to see commands as they are executed
# set -x
#
# this script is to turn off machines Internet access by IP address at night
# it will break existing connections.
# if the kid is smart enough to change IP address, the mac address will prevent controlling an existing connection
# IP version 6 is not addressed here
#
# start and stop times for school days (hh:mm)
SchoolNiteTime=23:30
SchoolMornTime=07:15
# comma delimit list of school days
SchoolDays="Mon,Tue,Wed,Thu,Sun"
#
# start and stop times for non school days
WeekendNiteTime=02:00
WeekendMornTime=08:59

# comma delimit list of non school days ("" means not used )
# if a day is not in either SchoolDays or WeekendDays list, then no restriction on the missing day

WeekendDays="Fri,Sat"
#
# Change line below to the space delimited list of IP addresses of the kids machines

StaticIPList="IP address1 IPaddress2 IPaddress3"
#StaticIPList=""
#
# the mac restriction does not totally break connections,
# but prevents kid who change IP address from starting new connections.
# Change line below the space delimited list of mac address of the kids machines ("" means not used )

MaCList="MAC address1 MAC address2 MAC address3"
#MaCList=""

# define a user chain and fill with rules
iptables -N dropkids
iptables -F dropkids
                                                                                                   
# first by MaCList                                                                                  
for MaC in $MaCList                                                                                
  do                                                                                                
  iptables -I dropkids 1 -m mac --mac-source $MaC -j DROP                                          
  done                                                                                              
# then the StaticIPList                                                                            
  for StaticIP in $StaticIPList                                                                    
  do                                                                                                
    iptables -I dropkids 1 -s $StaticIP -j DROP                                                    
    iptables -I dropkids 1 -d $StaticIP -j DROP                                                    
  done                                                                                              
#                                                                                                  
    iptables -I FORWARD 1 -m time --timestart $SchoolNiteTime --weekdays $SchoolDays -j dropkids    
    iptables -I FORWARD 1 -m time --timestop  $SchoolMornTime --weekdays $SchoolDays -j dropkids    
                                                                                                   
# optional Weekend restriction                                                                    
   if test "x$WeekendDays" != "x"                                                                
   then                                                                                        
    iptables -I FORWARD 1 -m time --timestart $WeekendNiteTime --weekdays $WeekendDays -j dropkids
    iptables -I FORWARD 1 -m time --timestop  $WeekendMornTime --weekdays $WeekendDays -j dropkids
   fi

and here's my date -R output:

Sun, 17 Sep 2017 21:35:29 -0400

and from my dmesg output:

xt_time: kernel timezone is -0000

and my router GUI shows GMT-5 for Eastern Standard Time

BTW Network Services Filter is Disabled

 

[ColinTaylor]

You might need the "--kerneltz" parameter to adjust for the timezone.

Try changing lines like this:

iptables -I FORWARD 1 -m time --timestart $SchoolNiteTime --weekdays $SchoolDays -j dropkids

to this:

iptables -I FORWARD 1 -m time --timestart $SchoolNiteTime --weekdays $SchoolDays --kerneltz -j dropkids

 

[Sean Rhodes]

I was reading that its best to avoid that, but didn't understand why. I will try it though, thanks for the help

 

[ColinTaylor]

Regarding this problem; can you post the actual script you are experiencing the problem with (not the example you previously posted). Also the output of "iptables-save -t filter".

BTW Did adding kerneltz fix the timezone problem?

 

[Sean Rhodes]

Regarding this problem; can you post the actual script you are experiencing the problem with (not the example you previously posted). Also the output of "iptables-save -t filter".

BTW Did adding kerneltz fix the timezone problem?

Here's the actual script:

#!/bin/sh

# uncomment next line to see commands as they are read from this file
# set -v
# uncomment next line to see commands as they are executed
# set -x
#
# this script is to turn off machines Internet access by IP address at night
# it will break existing connections.
# if the kid is smart enough to change IP address, the mac address will prevent controlling an existing connection
# IP version 6 is not addressed here
#
# start and stop times for school days (hh:mm)
SchoolNiteTime=23:30
SchoolMornTime=07:15
# comma delimit list of school days
SchoolDays="Mon,Tue,Wed,Thu,Sun"
#
# start and stop times for non school days
WeekendNiteTime=02:00
WeekendMornTime=08:59

# comma delimit list of non school days ("" means not used )
# if a day is not in either SchoolDays or WeekendDays list, then no restriction on the missing day

WeekendDays="Fri,Sat"
#
# Change line below to the space delimited list of IP addresses of the kids machines

StaticIPList="10.0.1.190 10.0.1.151 10.0.1.118 10.0.1.234 10.0.1.111"
#
# the mac restriction does not totally break connections,
# but prevents kid who change IP address from starting new connections.
# Change line below the space delimited list of mac address of the kids machines ("" means not used )

MaCList="94:9a:a9:95:5f:a4 14:CC:20:1E:59:33 6c:ad:f8:86:41:b9 b8:53:ac:9d:f7:b6 14:10:9f:d9:25:1d"

# define a user chain and fill with rules
iptables -N dropkids
iptables -F dropkids

# first by MaCList
for MaC in $MaCList
  do
  iptables -I dropkids 1 -m mac --mac-source $MaC -j DROP
  done
# then the StaticIPList
  for StaticIP in $StaticIPList
  do
    iptables -I dropkids 1 -s $StaticIP -j DROP
    iptables -I dropkids 1 -d $StaticIP -j DROP
  done
#
    iptables -I FORWARD 1 -m time --timestart $SchoolNiteTime --weekdays $SchoolDays --kerneltz -j dropkids
    iptables -I FORWARD 1 -m time --timestop  $SchoolMornTime --weekdays $SchoolDays --kerneltz -j dropkids

# optional Weekend restriction
   if test "x$WeekendDays" != "x"
   then
    iptables -I FORWARD 1 -m time --timestart $WeekendNiteTime --weekdays $WeekendDays --kerneltz -j dropkids
    iptables -I FORWARD 1 -m time --timestop  $WeekendMornTime --weekdays $WeekendDays --kerneltz -j dropkids
   fi

and here is the output filter:

ASUSWRT-Merlin RT-AC3200 380.68-2 Mon Sep 11 21:45:15 UTC 2017
rhodess@Asus-Merlin:/tmp/home/root# iptables-save -t filter
# Generated by iptables-save v1.4.14 on Mon Nov 11 04:48:08 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [760:150278]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:INPUT_ICMP - [0:0]
:NSFW - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:SSHBFP - [0:0]
:dropkids - [0:0]
:iptfromlan - [0:0]
:ipttolan - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d 10.0.1.1/32 -p tcp -m conntrack --ctstate DNAT -m tcp --dport 8443 -j ACCEPT
-A INPUT -d 10.0.1.1/32 -p tcp -m conntrack --ctstate DNAT -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2222 -m state --state NEW -j SSHBFP
-A INPUT -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7443 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j DROP
-A FORWARD -m time --timestart 00:00:00 --timestop 08:59:00 --weekdays Fri,Sat --kerneltz -j dropkids
-A FORWARD -m time --timestart 02:00:00 --timestop 23:59:59 --weekdays Fri,Sat --kerneltz -j dropkids
-A FORWARD -m time --timestart 00:00:00 --timestop 07:15:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -j dropkids
-A FORWARD -m time --timestart 23:30:00 --timestop 23:59:59 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -j dropkids
-A FORWARD -o br0 -j ipttolan
-A FORWARD -i br0 -j iptfromlan
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A SSHBFP -m recent --set --name SSH --rsource
-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
-A SSHBFP -j ACCEPT
-A dropkids -d 10.0.1.111/32 -j DROP
-A dropkids -s 10.0.1.111/32 -j DROP
-A dropkids -d 10.0.1.234/32 -j DROP
-A dropkids -s 10.0.1.234/32 -j DROP
-A dropkids -d 10.0.1.118/32 -j DROP
-A dropkids -s 10.0.1.118/32 -j DROP
-A dropkids -d 10.0.1.151/32 -j DROP
-A dropkids -s 10.0.1.151/32 -j DROP
-A dropkids -d 10.0.1.190/32 -j DROP
-A dropkids -s 10.0.1.190/32 -j DROP
-A dropkids -m mac --mac-source 14:10:9F:D9:25:1D -j DROP
-A dropkids -m mac --mac-source B8:53:AC:9D:F7:B6 -j DROP
-A dropkids -m mac --mac-source 6C:AD:F8:86:41:B9 -j DROP
-A dropkids -m mac --mac-source 14:CC:20:1E:59:33 -j DROP
-A dropkids -m mac --mac-source 94:9A:A9:95:5F:A4 -j DROP
-A iptfromlan -o eth0 -m account--aaddr 10.0.1.0/255.255.255.0 --aname lan  -j RETURN
-A ipttolan -i eth0 -m account--aaddr 10.0.1.0/255.255.255.0 --aname lan  -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Mon Nov 11 04:48:09 2019
rhodess@Asus-Merlin:/tmp/home/root#

The kerneltz helped, but I think its off by 1 hour, I will retry tonight and set it 5 mins ahead for one IP address, I will try renabling 10 mins later and see if I can nail it down first.

Thanks for the help

 

[john9527]

The shell that runs the scripts has a very minimal environment set. You may also want to try including the line

export TZ=`cat /etc/TZ`

at the beginning of your script.

 

[Sean Rhodes]

Th

The shell that runs the scripts has a very minimal environment set. You may also want to try including the line

export TZ=`cat /etc/TZ`

at the beginning of your script.

Thanks I will try that

 

[ColinTaylor]

OK, timezone issues aside, I can see why the weekend times don't work. The "start" times must be before midnight.

By specifying a weekend start time of 02:00 you have effectively blocked access for the whole of Friday and Saturday. (02:00 to 23:59 & 00:00 to 08:59)

The weekday times look like they should be working.