I'm using yhe "-m time" option to set time based rule in the firewall like:
-m time --weekdays Sun,Mon,Tue,Wed,Thu --timestart 20:00 --timestop 23:00

It's working well as it block any new connection attempt in the period (this is a REJECT rule). But if a connection was opened before the period, the connection continue to work despite the rule.

So two questions :

1) I understand here that the firewall block opening connection only, not established ones. Is it the standard way of working of the iptables ?

2) If yes, is it possible to force closing/blocking opened connections ?

Thanks in advance for your help.

The firewall works by default in a stateful (spi) mode. Simplified the firewall put information about the connection and each package in a table to check if the package follows some rules.

The main question is, why the extra time rule isn't "part" of the spi.
Maybe it's a question of order of the iptable rules. Do you have tried this?

Another question. If your time-rule works generally, which package(s) do you have installed?
In my configuration time-rule doesn't work at all.

iptables
iptables-mod-conntrack
iptables-mod-conntrack-extra
iptables-mod-extra
iptables-mod-filter
iptables-mod-imq
iptables-mod-ipopt
iptables-mod-nat

Tx in advanced
Wolfgang

The rule

$IPT -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED

is usually at the very beginning of the FORWARD chain. Try to insert your time before this.