Re: time modules - Fabrice MARIE

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Fabrice MARIE <fabrice@netfilter.org>
To: vlad <faktadmin@mail.ru>,
	"netfilter@lists.netfilter.org" <netfilter@lists.netfilter.org>
Subject: Re: time modules
Date: Sun, 23 Mar 2003 19:21:04 +0800	[thread overview]
Message-ID: <200303231921.04004.fabrice@netfilter.org> (raw)
In-Reply-To: <15911867640.20030318121718@mail.ru>

Hi Vladimir,

On Tuesday 18 March 2003 15:17, vlad wrote:
> Hello netfilter,
> iptables -I INPUT 1 -p tcp -s 192.168.1.2/32 -m time --timestart \
> 11:00 --timestop 17:00 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat \
> -d 192.168.1.1/32 --j DROP
> Defaul policy in INPUT chain - DROP
> But... packets allows to 192.168.1.240 (server) in this
> time --> 11:00-17:00.
> Why?

With a quick guess, two reasons come to mind:
1- you have an ACCEPT rule that shadows the -m time -j DROP rule,
   therefore nullifying its effect.
2- the packets that you talk about still being allowed might be from
   a forwarding connection ? In which case you have to filter in
   forward chain.

To see if 1 is your problem, simply put the rule -m time -j DROP at
the _begining_ of the ruleset, this way you'll be sure it won't be shadowed
by other rules.

To see if 2 is your problem, simply put the rule -m time -j DROP in
the FORWARD chain instead.

Have a nice day,

Fabrice.
--
Fabrice MARIE

"Silly hacker, root is for administrators"
       -Unknown

next prev parent reply	other threads:[~2003-03-23 11:21 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-03-18  7:17 time modules vlad
2003-03-23 11:21 ` Fabrice MARIE [this message]
2003-03-24  6:08   ` Re[2]: " netfilter-maillist
  -- strict thread matches above, loose matches on Subject: below --
2003-03-18  7:24 netfilter-maillist
2003-03-18  7:37 ` Raymond Leach

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200303231921.04004.fabrice@netfilter.org \
    --to=fabrice@netfilter.org \
    --cc=faktadmin@mail.ru \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.