Author
Message
shadowlor DD-WRT Novice Joined: 09 Apr 2022 Posts: 3
Posted: Sat Apr 09, 2022 6:23 Post subject: Access Restrictions bypassed by using a different time zone
Hello,
I am trying to use Access Restrictions to "Deny" by a mac address from 9PM CST to 9AM CST.
It worked but noticed that ESTABLISHED connections still got past through.
This seemed to be due to using SFE and it seemed to be fixed (not too sure) by using and saving this to firewall from https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326794 :
Code:
iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan
However, all of these is bypassed by using a different time zone.
My time zone is UTC-6 Central Time (US & Canada) and bypassed by for example using UTC-5 Chetumal or probably any time zones that is earlier than my time zone on the local/restricted machine.
Please help.
Workaround: So far is to just take control and unplug/disconnect those computers from the router. Obviously this is not as desired.
Possible solution: Take control of computers and setup permission on to not allow changing time zone (in this case (Windows 10), I might have to take a look at creating a user with limited permission or do something with group policy).
Code:
Basic Setup-> Time Settings:
NTP Client: Enable
Time Zone: US/Central
Server IP/Name: 162.159.200.1 162.159.200.123
Code:
| DD-WRT v3.0-r48607 std (c) 2022 NewMedia-NET GmbH
| Release: 04/08/22
| Board: Netgear R6700 v3
==========================================================
___ ___ _ _____ ______ ____ ___
/ _ \/ _ \___| | /| / / _ \/_ __/ _ __|_ / / _ \
/ // / // /___/ |/ |/ / , _/ / / | |/ //_ <_/ // /
/____/____/ |__/|__/_/|_| /_/ |___/____(_)___/
DD-WRT v3.0
https://www.dd-wrt.com
==========================================================
BusyBox v1.35.0 (2022-04-08 06:41:28 +07) built-in shell (ash)
Code:
root@DD-WRT:~# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
20349 7235K logaccept all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 686 logaccept udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
2 84 logdrop icmp -- vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop 2 -- vlan2 * 0.0.0.0/0 0.0.0.0/0
1 44 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
10632 1095K logaccept all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
41503 3189K logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
67617 8858K lan2wan all -- * * 0.0.0.0/0 0.0.0.0/0
30001 4144K upnp all -- * * 0.0.0.0/0 0.0.0.0/0
24472 3229K logaccept all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 logaccept all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 logaccept tcp -- * vlan2 192.168.1.0/24 0.0.0.0/0 tcp dpt:1723
0 0 logaccept 47 -- * vlan2 192.168.1.0/24 0.0.0.0/0
157 11292 logaccept tcp -- * * 0.0.0.0/0 192.168.1.160 tcp dpt:44158
0 0 TRIGGER all -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
5372 903K trigger_out all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER all -- vlan2 eth0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 logaccept all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 eth1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 logaccept all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 eth2 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 logaccept all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 vlan1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- vlan1 * 0.0.0.0/0 0.0.0.0/0
0 0 logaccept all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
5125 890K logaccept all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
247 13198 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 10293 packets, 2608K bytes)
pkts bytes target prot opt in out source destination
Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_11 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_12 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_13 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_14 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_15 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_16 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_17 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_18 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_19 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_20 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_1 (0 references)
pkts bytes target prot opt in out source destination
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-source D8:50:E6:3F:5F:1E
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-destination D8:50:E6:3F:5F:1E
381 24008 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-source E4:98:D6:89:07:35
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-destination E4:98:D6:89:07:35
11008 1683K logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-source C0:D2:DD:AA:AA:2D
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-destination C0:D2:DD:AA:AA:2D
Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_11 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_12 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_13 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_14 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_15 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_16 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_17 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_18 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_19 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_2 (1 references)
pkts bytes target prot opt in out source destination
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-source D8:50:E6:3F:5F:1E
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-destination D8:50:E6:3F:5F:1E
418 27112 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-source E4:98:D6:89:07:35
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-destination E4:98:D6:89:07:35
25816 2981K logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-source C0:D2:DD:AA:AA:2D
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 MAC --mac-destination C0:D2:DD:AA:AA:2D
Chain grp_20 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination
19761 2788K grp_2 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logaccept (13 references)
pkts bytes target prot opt in out source destination
15916 1997K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "ACCEPT "
60737 12M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logbrute (0 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: BRUTEFORCE side: source mask: 255.255.255.255
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ! recent: UPDATE seconds: 60 hit_count: 4 name: BRUTEFORCE side: source mask: 255.255.255.255
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 1
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix "[DROP BRUTEFORCE] : "
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (17 references)
pkts bytes target prot opt in out source destination
77734 7812K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "DROP "
834 59958 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 7 level 4 prefix "DROP "
79375 7918K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix "WEBDROP "
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain trigger_out (5 references)
pkts bytes target prot opt in out source destination
Chain upnp (1 references)
pkts bytes target prot opt in out source destination
Back to top
Sponsor
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12838 Location: Netherlands
Posted: Sun Apr 10, 2022 10:24 Post subject:
As far as I know access rules work because a cron job is running and inserts or delete the firewall block rules at the specified time, that is your routers time.
It also should flush SFE, otherwise existing connections are not blocked, if existing connections are not blocked then disable SFE/CTF/FA
So your routers time must be set correctly.
You say your time zone is UTC-6 Central but your routers time zone is set to US/central?
Furthermore NTP time works best if you leave the Server IP/Name blank
Note if you are going past midnight you need to split the rules.
Alternatively use you own firewall rules with the TIME option see IPSET documentation:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261 page 6 and in the REFERENCES _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
shadowlor DD-WRT Novice Joined: 09 Apr 2022 Posts: 3
Posted: Sun Apr 10, 2022 17:39 Post subject:
Code:
Basic Setup->Optional Settings:
MTU: Auto
Shortcut Forwarding Engine: CTF -> Disable
Flow Acceleration: CTF & FA -> Disable
STP: Disable
I have now disabled SFE and removed the following from my firewall:
Code:
iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan
I am using Unbound which is why I am using Server IP/Name: 162.159.200.1 162.159.200.123.
I will leave it blank then.
Is Time Zone: US/Central (on the router) not the same as UTC-6 Central Time (US & Canada) on a Windows 10 machine?
There is the America/Chicago, Etc/GMT-6, and US/Central options on the router.
I will change it to America/Chicago then.
I did split the rules 21:00-23:59 and 00:00-09:00.
I will look into IPSET later.
Back to top