I want to allow connections from lan devices to the Internet only during scheduled time sessions. My starting point is the code from this project: https://forum.openwrt.org/viewtopic.php?id=60801
Here is an example of the firewall config addition:
config rule
option src 'lan'
option dest 'wan'
option extra '--kerneltz'
option proto '0'
option target 'ACCEPT'
option src_mac 'xx:xx:xx:xx:xx:xx'
option enabled '1'
option start_time '15:35'
option stop_time '17:00'
The problem is that the rule works fine for granting access once you reach the start_time, but it fails to stop any connections that are already established when you reach the stop_time. Here are two section of the iptables output which explain why:
Chain delegate_forward (1 references)
target prot opt source destination
forwarding_rule all -- anywhere anywhere /* user chain for forwarding */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
reject all -- anywhere anywhere
The packets from already established connections hit that second rule and never make it to my scheduling rule which is part of the zone_lan_forward section as per below:
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all -- anywhere anywhere /* user chain for forwarding */
zone_wan_dest_REJECT all -- anywhere anywhere MAC xx:xx:xx:xx:xx:xx TIME from 17:51:00 to 18:00:00 /* @rule[9] */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* forwarding lan -> wan */
ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port forwards */
zone_lan_dest_ACCEPT all -- anywhere anywhere
My questions are:
Is there any way I can force my new schedule rule to appear BEFORE the rule for established connections in delegate_forward?
How does this "user chain for forwarding" work?
It would be much nicer to specify my rule with the timing when traffic is allowed (ACCEPT) instead of when it's blocked (REJECT), but I've given up on that because it doesn't seem possible.
If possible, I would like to implement these rule within the firewall config file, not using raw iptables commands, to enjoy the LuCI CBI functionality.
(Last edited by sleepyhead on 23 Jun 2016, 15:13)