iptables match time problem

[abolu]

Dear all,

I am a new iptables user.
I have some problem on using iptables match time.

After patch the time of patch-o-matic-ng, I can use command as below :
iptables -A INPUT -p all -m time --timestart 00:00 --timestop 23:59 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j DROP
And don't know why the packet doesn't filter by this rule.

I try to use commnad "iptables -A INPUT -p all -j DROP"
The ping packet to router is filter by this rule.

Can anyone help me to find out this problem?

Thanks a lot

[cuervo73]

abolu,

it is hard to say why this rule doesn't fire when it is placed into your ruleset
without seeing your entire ruleset.
.
Have you tried debugging by first clearing all rule counts by: iptables -Z
then running your test for time, and finally, rechecking your rule counts by:
iptables -L -n -v --line-numbers That should show you which path was taken
thru your rules. Most probably, some prior rule fired, and thus never reached
your time rule.

cuervo

[abolu]

cuervo,

Thanks your advice.

I find the answer of my problem yesterday.
Trace the source code and print some debug message in the kernel ipt_time module.
The key point is the date_start and date_stop check.
I don't input the date range in my iptables range.
After delete the date check, my iptables time rule is working fine.

I have another problem about Iptables about trigger port.
I will create another thread and won't discuss in this thread.
If you have free time, please give some advice.

Thanks.