Mageia forum

[wa7qzr]

I may have inadvertently uncovered a bug in IPTABLES v 1.4.11.1.

I am using a couple of "time interval" rules in my firewall script. Those rules, generated by fwbuilder 5, are as follows:

echo "Rule 5 (global)"
#
# Disallow web traffic except
# during the specifiec Time Interval.
$IPTABLES -N Cid4276X22838.0
for i_eth0 in $i_eth0_list
do
test -n "$i_eth0" && $IPTABLES -A INPUT -p tcp -m tcp -m multiport -s $i_eth0 --dports 80,443 -m state --state NEW -j Cid4276X228
38.0
done
$IPTABLES -N RULE_5
$IPTABLES -A Cid4276X22838.0 -m time --datestart 2011-01-01T18:00:00 --datestop 2020-01-01T21:05:00 --weekdays Mon,Tue,Wed,Thu,Fri -j
RULE_5
$IPTABLES -A Cid4276X22838.0 -m time --timestart 08:00 --timestop 11:30 --weekdays Sun,Sat -j RULE_5
$IPTABLES -N Cid4276X22838.1
$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid4276X22838.1
$IPTABLES -A Cid4276X22838.1 -m time --datestart 2011-01-01T18:00:00 --datestop 2020-01-01T21:05:00 --weekdays Mon,Tue,Wed,Thu,Fri -j
RULE_5
$IPTABLES -A Cid4276X22838.1 -m time --timestart 08:00 --timestop 11:30 --weekdays Sun,Sat -j RULE_5
$IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT "
$IPTABLES -A RULE_5 -j ACCEPT

What is produced with /sbin/iptables -L looks like this:

Chain Cid4276X22838.0 (1 references)
target prot opt source destination
RULE_5 all -- anywhere anywhere TIME on Mon,Tue,Wed,Thu,Fri starting from 2011-01-01 18:00:00 until date 2020-01-01 21:05:00 UTC
RULE_5 all -- anywhere anywhere TIME from 08:00:00 to 11:30:00 on Sat,Sun UTC

Chain Cid4276X22838.1 (1 references)
target prot opt source destination
RULE_5 all -- anywhere anywhere TIME on Mon,Tue,Wed,Thu,Fri starting from 2011-01-01 18:00:00 until date 2020-01-01 21:05:00 UTC
RULE_5 all -- anywhere anywhere TIME from 08:00:00 to 11:30:00 on Sat,Sun UTC

As you can see, IPTABLES doesn't seem to be using the system timezone. The output of the "date" command is:
Tue Sep 27 10:57:49 PDT 2011
I've used these same rules on a Mandriva 2010.2 system with IPTABLES 1.4.7 and the system timezone is correctly detected.

Is there a workaround for this that does not involve changing the timezone or the hardware clock, or should I just wait for an update?

Thanks,

Mike - wa7qzr

[wa7qzr]

FYI - I removed IPTABLES 1.4.11.1 and installed the rpm packages for v.1.4.7, and all it's dependencies, from Mandriva 2010.2 and it installed and worked correctly. So, that seems to be the easiest fix for anyone else having the problem using time-dependent rules in their firewall configuration. Hopefully now, updates won't nag me to death about the older version.

[doktor5000]

Could you please do a proper bug report about this, as this seems to be reproducable:
https://bugs.mageia.org/enter_bug.cgi?p ... mat=guided

[wa7qzr]

Sure & thanks for the link.

[doktor5000]

Also for reference please post the link here if you reported this.

[wa7qzr]

I think this is the link:

https://bugs.mageia.org/show_bug.cgi?id=2858

Yeah, that looks like it.

'Nite all!

[wa7qzr]

To anyone interested:

Thomas Backlund reports: It's an intended change from upstream.
https://git.netfilter.org/cgi-bin/gitwe ... 035c88ff11

So, I guess that'll keep everyone busy rewriting their programs to deal with this latest "improvement". Yeah, like there aren't more important matters to deal with than trying to cope with senseless, arbitrary software changes.

Oh well. The story of my life.

'Nite all!