Recently I was asked to control access to couple of services based upon day and time. For example ftp server should be only available from Monday to Friday between 9 AM to 6 PM only. It is true that many services and daemons have in built facility for day and time based access control. For example xinetd offers data and time based access control. Iptables also allows such control via time patch/module. It matches if the packet arrival time/date is within a given range. This is very handy when you want a service to be available only at certain times of day or even certain days.
iptables RULE -m time --timestart TIME --timestop TIME --days DAYS -j ACTION
- –timestart TIME : Time start value . Format is 00:00-23:59 (24 hours format)
- –timestop TIME : Time stop value.
- –days DAYS : Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
Suppose you would like to allow incoming ssh access only available from Monday to Friday between 9 AM to 6. Then you need to use iptables as follows:
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 22.214.171.124 --dport 22 -m state --state NEW,ESTABLISHED -m time --timestart 09:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
iptables -A OUTPUT -p tcp -s 126.96.36.199 --sport 22 -d 0/0 --dport 513:65535 -m state --state ESTABLISHED -m time --timestart 09:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
- Please note time module is not part of standard kernel, you need to download and apply patch from Patch-O-Matic
- Read iptables man page for more information.