iptables 命令中的 --kerneltz 是什么

tag-icon tag-icon linux networking iptables
iptables 命令中的 --kerneltz 是什么

我在我的项目中使用 iptables 但面临如下问题。

1.在 iptables 1.4.7 中

iptables -A INPUT -s 10.0.4.247 -m time  --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

或者

iptables -A INPUT -s 10.0.4.247 -m time  --localtz --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

date命令输出

Thu May 16 15:52:11 IST 2013

上述两个命令均不起作用。因为我可以从 10.0.4.247 ping 到机器。

为什么这不能按默认方式工作?--localtz(iptables v 1.4.7 手册页)

2.在 iptables v 1.4.12 中

iptables -A INPUT -s 10.0.4.247 -m time  --kerneltz --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

这是可行的,因为我无法从 IP 10.0.4.247 ping 通

iptables -A INPUT -s 10.0.4.247 -m time  --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

此规则默认遵循 UTC 时区,但在手册页中显示,默认值为--kerneltz。[man of iptables v1.4.12]

谁能告诉我 iptables 出了什么问题,我需要在指定的时间内阻止某些 ip/端口,但不知道该怎么做。

实际上是什么意思--kerneltz,使用它是否安全。

请给出一些答案

谢谢

答案1

--kerneltz完整解释如下手册页

   --kerneltz
          Use the kernel timezone instead of UTC to  determine  whether  a
          packet meets the time regulations.

   About  kernel timezones: Linux keeps the system time in UTC, and always
   does so.  On boot, system time is initialized from a  referential  time
   source. Where this time source has no timezone information, such as the
   x86 CMOS RTC, UTC will be assumed. If the time source is however not in
   UTC,  userspace  should provide the correct system time and timezone to
   the kernel once it has the information.

   Local time is a feature on top of  the  (timezone  independent)  system
   time. Each process has its own idea of local time, specified via the TZ
   environment variable. The kernel also has its own timezone offset vari‐
   able. The TZ userspace environment variable specifies how the UTC-based
   system time is displayed, e.g. when you run date(1), or what you see on
   your  desktop clock.  The TZ string may resolve to different offsets at
   different dates, which is what enables the  automatic  time-jumping  in
   userspace.  when  DST changes. The kernel's timezone offset variable is
   used when it has to  convert  between  non-UTC  sources,  such  as  FAT
   filesystems,  to  UTC  (since the latter is what the rest of the system
   uses).

   The caveat with the kernel timezone is  that  Linux  distributions  may
   ignore  to  set  the  kernel  timezone, and instead only set the system
   time. Even if a particular distribution does set the timezone at  boot,
   it  is usually does not keep the kernel timezone offset - which is what
   changes on DST - up to date.  ntpd will not touch the kernel  timezone,
   so  running it will not resolve the issue. As such, one may encounter a
   timezone that is always +0000, or one that is wrong half of the time of
   the year. As such, using --kerneltz is highly discouraged.

我在手册页中没有看到任何内容表明这--kerneltz是默认设置。相反,它指定给出的时间--datestart--datestop被解释为 UTC。

真的应该做的是将系统时钟设置为 UTC。这应该可以解决这个问题,以及您还不知道的各种其他问题。

相关内容