The iptables time module doesn’t just let you schedule firewall rules; it’s a surprisingly flexible tool that can effectively turn your firewall into a stateful access control system for time-sensitive operations.
Let’s see it in action. Imagine you have a critical internal service that should only be accessible from a specific IP address during business hours, Monday through Friday, 9 AM to 5 PM. Here’s how you’d set that up:
# Allow access from 192.168.1.100 to the internal service on port 8080
# only during weekdays, 9 AM to 5 PM.
iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.100 -m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 09:00 --timestop 17:00 -j ACCEPT
# Drop all other traffic to the internal service on port 8080
iptables -A INPUT -p tcp --dport 8080 -j DROP
In this example, the iptables command with the -m time module creates a rule that matches packets based on the system’s current time. The --weekdays option specifies the days of the week, and --timestart and --timestop define the active time window. Any traffic that arrives at port 8080 from 192.168.1.100 outside these hours will not match the ACCEPT rule and will fall through to the subsequent DROP rule.
The core problem the time module solves is granular, automated control over network access based on real-world schedules. Without it, you’d be manually enabling and disabling rules, which is prone to error and impractical for anything beyond simple, static access policies. This module allows for dynamic adjustments to your firewall’s behavior without requiring ongoing manual intervention, making it ideal for services with fluctuating availability requirements.
Internally, the iptables time module queries the system’s current date and time when a packet arrives. It then compares this against the configured parameters (day of the week, time of day) in the rule. If the current time falls within the specified window, the rule matches; otherwise, it doesn’t. The beauty is that this check happens on a per-packet basis, so as soon as the clock ticks past the --timestop value, the ACCEPT rule becomes inactive, and subsequent packets will be evaluated against the next rule in the chain.
The exact levers you control are the days of the week and the start/stop times. You can be very precise. For instance, to allow access only on Friday afternoons after 3 PM:
iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.100 -m time --weekdays Fri --timestart 15:00 -j ACCEPT
Notice that --timestop is omitted here. When --timestop is not specified, the rule remains active until midnight of the specified day. This is a common point of confusion; users often assume it defaults to 23:59 or similar.
It’s also worth noting that the time module is sensitive to the system’s timezone. Ensure that the TZ environment variable is correctly set on the system where iptables is running, or that the system’s /etc/localtime is configured appropriately, to avoid unexpected behavior. For example, if your server is in UTC but you intend the schedule to be in EST, you’ll need to account for the offset. A common workaround for this is to set the TZ variable for the iptables command itself if you’re managing it via a script:
TZ=America/New_York iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.100 -m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 09:00 --timestop 17:00 -j ACCEPT
This ensures the time module uses the specified timezone for its calculations, regardless of the system’s default. This level of control allows for sophisticated, time-based access policies that can adapt to operational needs without constant manual reconfiguration.
The time module’s behavior during daylight saving time transitions can be a subtle trap; it relies entirely on the system’s clock. If your system’s clock is not configured to handle DST automatically, your rules might become active or inactive at unexpected times during the spring or fall.
Beyond simple scheduling, you can combine the time module with other iptables features like connection tracking (conntrack) to create even more dynamic access controls, such as allowing established connections to persist even if the rule’s time window has closed.