Menu
What's new
By:
Filters Better Search

schedule based firewall script is not accurate

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

v1rt

v1rt

Occasional Visitor
This is the firewall-start that's currently active. Today is Sunday. My son's connection got blocked an hour after the schedule that is active in iptables. I thought it was fixed but it isn't.

Here is my firewall-start script.

Code: 
#!/bin/sh
# Locate both "RELATED,ESTABLISHED" and "INVALID" rules to place the Inserts after

InsLoc=`iptables -nvL INPUT --lin | grep -A 1 -i "RELATED,ESTABLISHED" | tail -n 1 | awk '{ print $1 }'`
if [ "x$InsLoc" == "x" ]
then
   # echo "Rule RELATED,ESTABLISHED not found"
   # Add rule to continue existing connections
   iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
   InsLoc=2
fi
#
InsLoc1=`iptables -nvL INPUT --lin | grep -A 1 -i "INVALID" | tail -n 1 | awk '{ print $1 }'`
if [ "x$InsLoc1" == "x" ]
then
   # echo "Rule INVALID not found"
   # Add rule to Drop unexpected traffic
   iptables -I INPUT $InsLoc -m conntrack --ctstate INVALID -j DROP
   InsLoc1=`expr $InsLoc + 1`
fi
#
if [ $InsLoc1 -gt $InsLoc ]
then
   # use which ever comes last
   InsLoc=$InsLoc1
fi
echo "InsLoc=$InsLoc"
#

# League of Legends Game Client
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

# Patcher and Maestro
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

# 2099 TCP - PVP.Net
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

# 5223 TCP - PVP.Net
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

# 5222 TCP - PVP.Net
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

# 8088 Spectator Mode
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

Code: 
admin@RT-AC68U-6000:/jffs/scripts# date
Sun Apr 12 20:42:26 DST 2015

My mac laptop is showing the same time but timezone is showing CDT.

In my Asus Administration->System tab under Miscellaneous then Time Zone, it says (GMT-6:00) Central Time (US, Canada)

Here is the output of iptables -vnL
https://gist.github.com/c0debreaker/72dee8f738c8f85d507c

Now, I removed the --kerneltz and refreshed the firewall script, this is the output iptables -vnL. It is now in UTC. https://gist.github.com/c0debreaker/e4d9c956ca49b20f6b6a
 
Last edited:
just read that --kerneltz is definitely discouraged. I'm now using UTC but I also have to change my timestart and timestop values. I'll keep you posted next Friday because that's the time my son will be able to play
 
v1rt said:
This is the firewall-start that's currently active. Today is Sunday. My son's connection got blocked an hour after the schedule that is active in iptables. I thought it was fixed but it isn't.

Here is my firewall-start script.

Code: 
#!/bin/sh
# Locate both "RELATED,ESTABLISHED" and "INVALID" rules to place the Inserts after

InsLoc=`iptables -nvL INPUT --lin | grep -A 1 -i "RELATED,ESTABLISHED" | tail -n 1 | awk '{ print $1 }'`
if [ "x$InsLoc" == "x" ]
then
   # echo "Rule RELATED,ESTABLISHED not found"
   # Add rule to continue existing connections
   iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
   InsLoc=2
fi
#
InsLoc1=`iptables -nvL INPUT --lin | grep -A 1 -i "INVALID" | tail -n 1 | awk '{ print $1 }'`
if [ "x$InsLoc1" == "x" ]
then
   # echo "Rule INVALID not found"
   # Add rule to Drop unexpected traffic
   iptables -I INPUT $InsLoc -m conntrack --ctstate INVALID -j DROP
   InsLoc1=`expr $InsLoc + 1`
fi
#
if [ $InsLoc1 -gt $InsLoc ]
then
   # use which ever comes last
   InsLoc=$InsLoc1
fi
echo "InsLoc=$InsLoc"
#

# League of Legends Game Client
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

# Patcher and Maestro
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

# 2099 TCP - PVP.Net
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

# 5223 TCP - PVP.Net
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

# 5222 TCP - PVP.Net
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

# 8088 Spectator Mode
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 13:00:00 --timestop 03:00:00 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 22:30:00 --timestop 03:00:00 --weekdays Fri,Sat --kerneltz -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 20:00:00 --timestop 03:00:00 --weekdays Sun --kerneltz -j DROP

Code: 
admin@RT-AC68U-6000:/jffs/scripts# date
Sun Apr 12 20:42:26 DST 2015

My mac laptop is showing the same time but timezone is showing CDT.

In my Asus Administration->System tab under Miscellaneous then Time Zone, it says (GMT-6:00) Central Time (US, Canada)

Here is the output of iptables -vnL
https://gist.github.com/c0debreaker/72dee8f738c8f85d507c

Now, I removed the --kerneltz and refreshed the firewall script, this is the output iptables -vnL. It is now in UTC. https://gist.github.com/c0debreaker/e4d9c956ca49b20f6b6a
Click to expand...

Just noticed that your script. The part locating the rules is using "INPUT" while the rules are being inserted into "FORWARD".
My mistake, sorry ...
Change the "INPUT" to "FORWARD" everywhere.
 
You must log in or register to reply here.

Similar threads

T
Guest wifi scheduling via iptables
Replies
0
Views
868
Terrabytes
T
P
How would you check or change the router's http or https webinterface port via telnet (only)?
Replies
2
Views
306
powersupply
P
PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
2
Views
1K
dacotmeister
D
R
One router, two segments desired.
Replies
4
Views
872
Rombo
R
NoBenefit
Does my iptables looks normal?
Replies
1
Views
1K
ColinTaylor
C
Similar threads
Thread starter Title Forum Replies Date
E Mesh Optimization Schedule Asuswrt-Merlin 2
Q [Feature Request] Schedule DoS Protection state and/or whitelist option Asuswrt-Merlin 5
T [Solved]Configure Policy based routing for transparent proxy Asuswrt-Merlin 6
G Will Merlin firmware based on the new 3.0.0.6 version be available?when? Asuswrt-Merlin 3
Z Dual WAN + Dual Firewall Asuswrt-Merlin 11
K Asus router as adblock/firewall server (but not acting as a router) between modem and mesh routers Asuswrt-Merlin 7
M wan dhcpv6 blocked by firewall Asuswrt-Merlin 2
L is enabling firewall necessary (same for upnp) when on a provider with cgnat? Asuswrt-Merlin 5
M Advance firewall rules Asuswrt-Merlin 5
fffddd URL filtering in the firewall does not take effect Asuswrt-Merlin 7

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 615 (members: 33, guests: 582)
Top