Regras baseadas em tempo do Iptables sem efeito - Gateway com 2 NICs

Eu tenho uma rede com a seguinte topologia: - Modem WAN com NIC voltado para o gateway: 192.168.0.1 - Ubuntu 14.04 gateway com dois NICs:   1) Eth0 (voltado para o modem): 192.168.0.201   2) Eth1 (de frente para a LAN): 10.0.0.1

Estou tentando limitar o acesso à Internet e à LAN (da Internet) por dia e hora do dia usando iptables , mas as regras parecem não ter efeito. .

No rc.local, tenho a seguinte configuração:

++#!/bin/sh -e
#
# rc.local
# turning on address verification
echo -n "Enabling source address verification..."
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo "done"

    #just for the sake of turning the networks off and on... not sure if it would work turning them back on only at the end of script ? -- Also flushing NICs
    ip addr flush eth0;
    ip addr flush eth1;
    ifconfig eth0 down;
    ifconfig eth1 down;
    ifconfig lo down;
    ifconfig lo up;
    ifconfig eth0 up;
    ifconfig eth1 up;
    ifconfig eth0 192.168.0.201 netmask 255.255.255.0
    ifconfig eth1 10.0.0.1 netmask 255.255.255.0
    #routing table check up :
    route add 127.0.0.1 dev lo;
    route add -net 127.0.0.0/8 dev lo;
    route add -net 10.0.0.0/24 dev eth1;
    route add -net 192.168.0.0/8 dev eth0;
    route add default gw 192.168.0.1;
    # turn fowarding off while configuring iptables :
    sysctl net/ipv4/ip_forward=0
    iptables -F
    iptables -X
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    #and on again once the policies are set
    sysctl net/ipv4/ip_forward=1
    #limiting LAN clients
    iptables -A FORWARD -d 10.0.0.74 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
    iptables -A FORWARD -d 10.0.0.228 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
    iptables -A FORWARD -d 10.0.0.121 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
    iptables -A FORWARD -d 10.0.0.221 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
    iptables -A FORWARD -d 10.0.0.2 -m time --timestart 10:00 --timestop 20:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
    #block IPs
    iptables -A INPUT -s 173.194.45.189 -j DROP
    iptables -A INPUT -s 208.92.53.87 -j DROP
    #masquerade on wan card :
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    #accept all packets in lo and protect against spoofing :
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -i !lo -s 127.0.0.0/8 -j LOG
    iptables -A INPUT -i !lo -s 127.0.0.0/8 -j DROP
    iptables -A FORWARD -i !lo -s 127.0.0.0/8 -j LOG
    iptables -A FORWARD -i !lo -s 127.0.0.0/8 -j DROP
    #accept only established input but all output on WAN card
    iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i eth1 -j ACCEPT 
    iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT 
    #just forget the invalid packets :
    iptables -A OUTPUT -o eth0 -m state --state INVALID -j DROP
    iptables -A INPUT -i eth0 -m state --state INVALID -j LOG
    iptables -A INPUT -i eth0 -m state --state INVALID -j DROP
    #not sure whether to put this before or after spoofing protection ?
    iptables -A INPUT -i eth1 -j ACCEPT
    iptables -A OUTPUT -o eth1 -j ACCEPT
    #against spoofing on LAN card input :
    iptables -A INPUT -i !eth1 -s 10.0.0.0/24 -j LOG
    iptables -A INPUT -i !eth1 -s 10.0.0.0/24 -j DROP
exit 0

Listando as regras com iptables -L eu recebo:

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  173.194.45.189       anywhere            
DROP       all  --  208.92.53.87         anywhere            
ACCEPT     tcp  --  10.0.0.0/24          anywhere             ctstate NEW,RELATED,ESTABLISHED tcp dpt:sunrpc
ACCEPT     udp  --  10.0.0.0/24          anywhere             ctstate NEW,RELATED,ESTABLISHED udp dpt:sunrpc
ACCEPT     all  --  anywhere             anywhere            
LOG        all  --  127.0.0.0/8          anywhere             LOG level warning
DROP       all  --  127.0.0.0/8          anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere             state INVALID LOG level warning
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere            
LOG        all  --  10.0.0.0/24          anywhere             LOG level warning
DROP       all  --  10.0.0.0/24          anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination 
LOG        all  --  127.0.0.0/8          anywhere             LOG level warning
DROP       all  --  127.0.0.0/8          anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state NEW,RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere

As regras baseadas em tempo não estão lá. Alguém pode ver porque? Observação: é um dia e hora do dia em que a seguinte regra deve estar ativa:

iptables -A FORWARD -d 10.0.0.2 -m time --timestart 10:00 --timestop 20:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP