1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Port Forwarding only during certain times?

Discussion in 'Tomato Firmware' started by nobugme, Apr 10, 2008.

  1. nobugme

    nobugme Network Guru Registered

    Port Forwarding only during certain times? (like access restriction)

    I am trying to figure out the best way to basically disable port forwarding during certain times (using cron and iptables). I think I have a pretty good idea, but would like some input.

    Currently, I have TCP/UDP port 5001 open to at all times (via Port Forwarding GUI). I am trying to disable it from 6 to 10pm on Tuesdays. Please let me know what you guys think of this:

    cru a test1 0 18 * * 2 iptables -I INPUT 1 -d -p ALL --dport 5001 -j DROP
    cru a test2 0 22 * * 2 iptables -D INPUT 1
    This should insert the rule at the beginning of INPUT at 6pm, then delete the rule at 10pm.
    Where do I put this script? Init? Firewall? Somewhere else?
    Is the syntax correct?
    Is this the best way to accomplish this?
    Would it be better to have the port forward created with cron (to be denied later by cron) rather than the GUI?
    Should it be something besides INPUT (like PREROUTING or FORWARD)?
    Will it correctly forward to the internal IP of

  2. nobugme

    nobugme Network Guru Registered

    After thinking about it a little more, if I just leave the port forward enabled on the GUI and just drop all packets to the IP address between 6 and 10pm (on Tuesdays), it would work the same:

    cru a test1 "0 18 * * 2 iptables -I FORWARD -d -j DROP"
    cru a test2 "0 22 * * 2 iptables -D FORWARD -d -j DROP"
    I also changed to the chain to FORWARD, as it seems more fitting.

    How does the cron syntax look? Are the quotation marks correct? Will that work with iptables? Lastly, where do I put the cron scripts in the GUI? Init?

    Thanks again,
  3. nobugme

    nobugme Network Guru Registered

    I am trying to learn this whole iptables thing - Should there be a POSTROUTING chain with Tomato (v1.18)? I am not seeing it when I do an "iptables --list"? I think I need to put my rule there to drop packets from the WAN as well as the LAN, but can't - I get a "iptables: No chain/target/match by that name" error. I've tried to create the chain, but it doesn't seem to stick.

    One last thing - what exactly does the "rcheck --cron" do?
    Thanks again,
  4. nvtweak

    nvtweak LI Guru Member

    The POSTROUTING chain is in the nat and mangle tables

    iptables -t nat -L -nv --line-numbers
  5. nobugme

    nobugme Network Guru Registered

    Thanks! I'll learn it all someday.

Share This Page