Home / server / Questions / 313925
Accepted
JMW
Asked: 2011-09-22 06:04:18 +0800 CST

iptables: how to give an ip access to a tcp service for one hour?

  • 772

I would like to give an ip access to tcp port 3306 for an hour. After that, all connections must be closed.

How can i add a timeout to the following expression?

iptables -A INPUT -m state --state NEW -m tcp -p tcp --source 1.2.3.4 --dport 3306 -j ACCEPT
linux timeout iptables

2 Answers

  1. Best Answer

    I believe (I've never used it, and found it through the iptables man page) --timestart and --timestop will accomplish this.

    iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --source 1.2.3.4 --dport 3306 --timestart 13:00 --timestop 14:00 -j ACCEPT

    Would allow you between 1 and 2pm.

    This matches if the packet arrival time/date is within a given range. All options are facultative.

    --timestart value

    Match only if it is after 'value' (Inclusive, format: HH:MM ; default 00:00).

    --timestop value

    Match only if it is before 'value' (Inclusive, format: HH:MM ; default 23:59).

    • 3

  2. Alternative solution that does not require iptables time module supported.

    ( iptables -I INPUT -p tcp -s 1.2.3.4 --dport 3306 -j ACCEPT ; sleep 1h; iptables -D INPUT -p tcp -s 1.2.3.4 --dport 3306 -j ACCEPT ) &

    This won't close the connections after hour, it will simply return to whatever policy was before allowing the connection; which can be setup to interrupt and drop/reject the no longer allowed traffic unless you have STATE ESTABLISHED ALLOW beforehand.

    • 2