Re: Temporally disable a host

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Temporally disable a host
Date: Sun, 15 May 2005 18:28:34 -0500	[thread overview]
Message-ID: <4287DB22.4040608@riverviewtech.net> (raw)
In-Reply-To: <1116065330.2995.106.camel@crux>

bjorn wrote:
> Hello,
> 
> I use iptables based on the MonMotha's Firewall script.
> I partly understand what it does but have not been able
> to absorb all the functionality/possibilities that iptables
> offers...
> 
> I would like to temporally disable one of the hosts inside
> by private network from internet access. Possibly all traffic
> or only http traffic. My idea was to add this rule through a
> cron job at a specific time and then later run another job that
> deletes the rule.
> 
> Please help me with a suitable iptables command to do this.
> 
> Regards,
> 
> /Bj√∂rn

I would recommend that you take a look at the time match extension.  Time match extension is meant to allow rule(s) to match based on time, day of week, with start and stop dates with times.  This would allow you to have a rule that would allow (ACCEPT) traffic to pass through to / from the server in question only during the times that you want it to.  Follow this rule up with a default drop policy to reject traffic if the former does not allow the traffic to flow through.  You could conversely set up a rule to drop traffic during the times that you want the system to be off line, but I prefer a default of drop and then explicitly allow the traffic to through.

I would recomend that you set up a couple of rules in your firewall in the following order:

  1)  Set a rule using the time match extension, i.e.
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -m time --timestart 08:00 --timestop 17:00 --listofdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
  2)  Set a rule that will by default match and drop any traffic that was not explicitly accepted in the previous rule, i.e.
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -j DROP

Or if you are wanting to only block port 80 and 443 traffic I would do something like the following:

  1)  Set a rule using the time match extension, i.e.
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -p tcp --dport 80 -m time --timestart 08:00 --timestop 17:00 --listofdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -p tcp --dport 443 -m time --timestart 08:00 --timestop 17:00 --listofdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
  2)  Set a rule that will by default match and drop any traffic that was not explicitly accepted in the previous rule, i.e.
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -p tcp --dport 80 -j DROP
        iptables -t filter -A FORWARD -s $IP_address_of_server_to_protect -p tcp --dport 443 -j DROP

Below is the output of "iptables -m time -h".

TIME v1.3.1-20050422 options:
 [ --timestart value ] [ --timestop value] [ --days listofdays ] [ --datestart value ] [ --datestop value ]
          timestart value : HH:MM (default 00:00)
          timestop  value : HH:MM (default 23:59)
                            Note: daylight savings time changes are not tracked
          listofdays value: a list of days to apply
                            from Mon,Tue,Wed,Thu,Fri,Sat,Sun
                            Coma speparated, no space, case sensitive.
                            Defaults to all days.
          datestart value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
                            If any of month, day, hour, minute or second is
                            not specified, then defaults to their smallest
                            1900 <= YYYY < 2037
                               1 <= MM <= 12
                               1 <= DD <= 31
                               0 <= hh <= 23
                               0 <= mm <= 59
                               0 <= ss <= 59
          datestop  value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
                            If the whole option is ommited, default to never stop
                            If any of month, day, hour, minute or second is
                            not specified, then default to their smallest



Grant. . . .

     prev parent reply	other threads:[~2005-05-15 23:28 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-05-14 10:08 Temporally disable a host bjorn
2005-05-15 23:28 ` Taylor, Grant [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4287DB22.4040608@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.