1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Req: iptables time function

Discussion in 'Tomato Firmware' started by Sean Rhodes, Dec 3, 2013.

  1. Sean Rhodes

    Sean Rhodes Serious Server Member

    When I do an iptables -h, I dont see the time function, I was reading somewhere that it is possible to patch the iptables to add rules based on time of day.

    iptables RULE -m time --timestart TIME --timestop TIME --days DAYS -j ACTION
    Does anyone know how to do this?

    I found a thread called Patch-O-Matic, but I don't know if its compatible with shibby's Tomato linux version


    and http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-2.html#ss2.1

  2. shibby20

    shibby20 Network Guru Member

    time module is in tomato sources. All you need to do is change linux/linux-2.6/config_base

    and compile tomato build.
  3. Sean Rhodes

    Sean Rhodes Serious Server Member

    Thanks Shibby
  4. Sean Rhodes

    Sean Rhodes Serious Server Member

    Help! when I try to clone your repository git clone git://repo.or.cz/w/tomato.git I keep getting the error message " The remote end hung up unexpectedly". What am I doing wrong?
  5. koitsu

    koitsu Network Guru Member

    How to use the time module has already been discussed. Read the thread, from page 5 backwards:


    Possibly it's not included in shibby (unsure), but with Toastman it's there (no need to modprobe, etc.). I give examples in that thread showing how to get usage arguments, etc.. People just don't seem to have familiarity with netfilter. :/

    It's still an inappropriate module however; anything relating to "keeping track of time" or "doing things at a certain time" is a job for cron (i.e. userland) and really should not be in kernel space.
  6. Sean Rhodes

    Sean Rhodes Serious Server Member

    Thanks for the info koitsu, I will have a look at that, but I would like to be able to build a version, but I'm not sure what i'm doing wrong:

    I'm trying to build the tomato-E4200USB-NVRAM60K-1.28.RT-N5x-MIPSR2-115-AIO.bin version.
    I'm running make v1=n60z v2=n64o, but I keep getting grep: tomato_profile.mak no such file or directory.

    I'm clearly missing something?
  7. koitsu

    koitsu Network Guru Member

    I want to understand -- are you trying to build the firmware because you want the time netfilter module? If so, I'm surprised the firmware you're using doesn't already have it. You should be able to, as I mentioned in the thread, use iptables -m time -h and get usage syntax for the time module. If it doesn't work, try modprobe ipt_time first then followed by what I just said and see if that suffices. I can confirm it exists as /lib/modules/ on Toastman. It's incredibly small (3.9KBytes) so if other TomatoUSB firmwares have it disabled that's a bit of a surprise.

    If you really truly are wanting to build the firmware, you should follow the instructions on my blog. I have seen the error you're referring to, and usually it's a result of being in the wrong directory when doing make or a result of having wrong tools, wrong paths, or wrong symlinks in place on the system.

    The process may be different (even improved) on other TomatoUSB firmwares.
    Sean Rhodes likes this.
  8. Sean Rhodes

    Sean Rhodes Serious Server Member

    Thanks koitsu, it does have time in. I assumed that using iptables -h would show everything but it doesn't, so I assumed it wasn't there. However when taking your advice and using iptables -m time -h, then it is displayed. Looks like I still have lots to learn.

    As of now, I would like to build my own just to better understand. I will follow your blog and see if that works. Currently I'm using a 64 bit Ubuntu 11.10 virtual image in Parallels on an iMac. I will uninstall and put the x86 version on if I have problems after following your blog.

    As an fyi, I'm just trying different methods to circumvent the issue where my rrules dissappear after a few hours, even after adding them directly via ssh and doing an nvram commit.

    I'm wondering if I'm trying to do too many things and the router can't handle it?

    I have a linksys E4200 v1 and I'm running optware from an external USB, pixelserv, a VPN client that uses a wan up script and a firewall script that blocks everything except a bunch of whitelisted mac addresses, in addition to a whole bunch of port forwards.

    Thanks again for all your help
    Last edited: Dec 4, 2013

Share This Page