One method:
IPtables commands can be scripted. So the scripts can be triggered by a cron job.
Create a new folder (I'll call it /etc/network/firewall-scripts) to put your new firewall scripts into.
Create two firewall scripts (/etc/network/firewall-scripts/overnight-firewall.sh and /etc/network/firewall-scripts/daytime-firewall.sh). These flush all the old rules and reload new rules from scratch each time they are run. They are run each time an interface comes up, and when the cron job tells them to.
(This is part of an example off my router. It is NOT complete, and will not provide full security. It's just to show you some of the sections you should have. Your interfaces will vary.)
Code:
#!/bin/sh
# daytime-firewall script.
PATH=/usr/sbin:/sbin:/bin:/usr/bin
# Delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
## Put all your custom stuff here
# This is the drop command for overnight. It's commented out on the daytime script. This is the only difference between the two scripts.
#iptables -I INPUT -s 221.0.0.0/255.0.0.0 -j DROP
Finally, add cron jobs to fire off the scripts at the times you want:
Code:
# Root crontab
30 0 * * * root /bin/sh /etc/network/firewall-scripts/overnight-firewall.sh
00 6 * * * root /bin/sh /etc/network/firewall-scripts/daytime-firewall.sh
Since you still need a firewall when the system is restarted, add a firewall-startup script in /etc/if-up.d/ to figure which firewall script to use (based on the time) each time an interface comes up.
Bookmarks