Iptables Restricting Access By Time Of The Day

Posted on in Categories Debian Linux, Howto, Iptables, Linux, Linux desktop, RedHat/Fedora Linux, Sys admin, Tips, Ubuntu Linux last updated January 12, 2006

Recently I was asked to control access to couple of services based upon day and time. For example ftp server should be only available from Monday to Friday between 9 AM to 6 PM only. It is true that many services and daemons have in built facility for day and time based access control. For example xinetd offers data and time based access control. Iptables also allows such control via time patch/module. It matches if the packet arrival time/date is within a given range. This is very handy when you want a service to be available only at certain times of day or even certain days.

General syntax:

iptables RULE -m time --timestart TIME --timestop TIME --days DAYS -j ACTION

Where,

  • –timestart TIME : Time start value . Format is 00:00-23:59 (24 hours format)
  • –timestop TIME : Time stop value.
  • –days DAYS : Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)

An example
Suppose you would like to allow incoming ssh access only available from Monday to Friday between 9 AM to 6. Then you need to use iptables as follows:
Input rule:

iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 202.54.1.20 --dport 22 -m state --state NEW,ESTABLISHED -m time --timestart 09:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

Output rule:

iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 22 -d 0/0 --dport 513:65535 -m state --state ESTABLISHED -m time --timestart 09:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

References:

  • Please note time module is not part of standard kernel, you need to download and apply patch from Patch-O-Matic
  • Read iptables man page for more information.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

6 comment

  1. Hehe this is amazing what IPTABLES can do 😀
    Thanks for help, I just limited someone access to VPN to workdays only 😉

    in IPtables 1.4.8 there is no option “–days”, just “–weekdays”

Leave a Comment