[Solved] Enable/disable ip rule via crontab schedule

is it possible to enable/disable route/ip rule based on a time schedule via crontab

im guessing only the rule would need to be enabled/disabled as the route has no need to be disabled when the rule is disabled

thanks

a bash script like so?

#!/bin/bash

#disable ip rule

#commit changes to firewall 
uci commit firewall

#restart firewall
/etc/init.d/firewall restart

#restart network
/etc/init.d/network restart

Should the rule be enabled and disabled at set times?

at what times?

please post command:

cat /etc/config/network 
uci show | grep route
uci show | grep rule

yes

at 12am enable
at 6am disable

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 '0'
	option delegate '0'
	option ipaddr '192.168.42.1'
	option ip4table '1'
	option ip6table '1'

config device
	option name 'eth0.2'
	option macaddr '18:d6:c7:3e:f5:61'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config rule
	option lookup '100'
	option in 'lan'
	option src '192.168.42.100/32'
	option priority '1'

config interface 'coconut'
	option proto 'dhcp'
	option device 'eth1'
	option peerdns '0'
	list dns '1.1.1.1'

config route
	option interface 'coconut'
	option target '0.0.0.0/0'
	option gateway '192.168.0.1'
	option table '100'
	option metric '200'

root@OpenWrt:~# uci show | grep route
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
luci.diag.route='openwrt.org'
network.@route[0]=route
network.@route[0].interface='coconut'
network.@route[0].target='0.0.0.0/0'
network.@route[0].gateway='192.168.0.1'
network.@route[0].table='100'
network.@route[0].metric='200'
openvpn_recipes.server_tun_ptp._description='Simple server configuration for a routed point-to-point VPN'
openvpn_recipes.client_tun_ptp._description='Simple client configuration for a routed point-to-point VPN'
openvpn_recipes.server_tun._description='Server configuration for a routed multi-client VPN'
openvpn_recipes.client_tun._description='Client configuration for a routed multi-client VPN'

root@OpenWrt:~# uci show | grep rule
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='roku'
firewall.@rule[9].dest='*'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].src_ip='192.168.42.101'
firewall.@rule[9].proto='all'
firewall.@rule[9].src='*'
network.@rule[0]=rule
network.@rule[0].lookup='100'
network.@rule[0].in='lan'
network.@rule[0].src='192.168.42.100/32'
network.@rule[0].priority='1'

cat << "EOF" > /root/disable
#!/bin/sh
#disable
uci set network.@route[0].disabled='1'
uci set network.@rule[0].disabled='1'
uci commit
/etc/init.d/network reload
EOF

cat << "EOF" > /root/enable
#!/bin/sh
#enable
uci set network.@route[0].disabled='0'
uci set network.@rule[0].disabled='0'
uci commit
/etc/init.d/network reload
EOF

chmod 700 /root/disable
chmod 700 /root/enable

echo "#min hour day month day-week command" >> /etc/crontabs/root
echo "#0-59 0-23 1-31 1-12 0-6(0=Sunday) exec" >> /etc/crontabs/root
echo "* 0 * * * /root/enable" >> /etc/crontabs/root
echo "* 6 * * * /root/disable" >> /etc/crontabs/root

2 Likes

were as clear as your post,

many people forget details and/or other

it was a pleasure to be able to help you

1 Like

thank you :slight_smile:

Might I suggest moving those files into a more isolated location, and adding that location to sysupgrade's backup list?

mkdir /root/bin
mv /root/*able /root/bin/
echo '/root/bin/' >> /etc/sysupgrade.conf
sysupgrade -l | grep able   # Just to verify...

And of course, edit /etc/crontabs/root to point to the new script location...

The above will survive across sysupgrade with backup, auc and asu, so you don't have to reconstruct your work (usually after you forgot how you did it originally).

3 Likes

I agree with you

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.