what is the –kerneltz in iptables command

pradipta asked:

I am using iptables for my project but facing some problem as follow.

1.in iptables 1.4.7

iptables -A INPUT -s 10.0.4.247 -m time  --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

or

iptables -A INPUT -s 10.0.4.247 -m time  --localtz --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

output of date command

Thu May 16 15:52:11 IST 2013

both the commands above is not working. As i can able to ping form 10.0.4.247 to the machine.

why this is not working as default it should be --localtz.(man page of iptables v 1.4.7)

2.in iptables v 1.4.12

iptables -A INPUT -s 10.0.4.247 -m time  --kerneltz --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

This is working as I am not able to ping from the ip 10.0.4.247

iptables -A INPUT -s 10.0.4.247 -m time  --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

This rule bydefault set to follow UTC timezone but in man page it showing,the default is --kerneltz.[man of iptables v1.4.12]

can any one tell me what is problem with the iptables ,I need to block some ip/port for a specified time duration,but unable find what to do.

what is actually meaning of --kerneltz and is it safe to use this.

kindly tell some answer

Thanks

My answer:


--kerneltz is explained in full in the man page:

   --kerneltz
          Use the kernel timezone instead of UTC to  determine  whether  a
          packet meets the time regulations.

   About  kernel timezones: Linux keeps the system time in UTC, and always
   does so.  On boot, system time is initialized from a  referential  time
   source. Where this time source has no timezone information, such as the
   x86 CMOS RTC, UTC will be assumed. If the time source is however not in
   UTC,  userspace  should provide the correct system time and timezone to
   the kernel once it has the information.

   Local time is a feature on top of  the  (timezone  independent)  system
   time. Each process has its own idea of local time, specified via the TZ
   environment variable. The kernel also has its own timezone offset vari‐
   able. The TZ userspace environment variable specifies how the UTC-based
   system time is displayed, e.g. when you run date(1), or what you see on
   your  desktop clock.  The TZ string may resolve to different offsets at
   different dates, which is what enables the  automatic  time-jumping  in
   userspace.  when  DST changes. The kernel's timezone offset variable is
   used when it has to  convert  between  non-UTC  sources,  such  as  FAT
   filesystems,  to  UTC  (since the latter is what the rest of the system
   uses).

   The caveat with the kernel timezone is  that  Linux  distributions  may
   ignore  to  set  the  kernel  timezone, and instead only set the system
   time. Even if a particular distribution does set the timezone at  boot,
   it  is usually does not keep the kernel timezone offset - which is what
   changes on DST - up to date.  ntpd will not touch the kernel  timezone,
   so  running it will not resolve the issue. As such, one may encounter a
   timezone that is always +0000, or one that is wrong half of the time of
   the year. As such, using --kerneltz is highly discouraged.

I see nothing in the man page to indicate that --kerneltz is the default. Rather it specified that times given in --datestart and --datestop will be interpreted as UTC.

What you really should do is to set the system clock to UTC. This should resolve this problem, as well as a variety of other problems you don’t yet know you have.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.