From: <imnozi@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: Re: netfilter expected behavior for established connections
Date: Tue, 11 Mar 2025 20:30:48 -0400 [thread overview]
Message-ID: <20250311203048.5c275524@playground> (raw)
In-Reply-To: <CABhP=tYOynShd82rwVuDMJDTE8LcM6+FHwx7Tfuk183EW+ipPA@mail.gmail.com>
On Wed, 12 Mar 2025 00:56:48 +0100
Antonio Ojea <antonio.ojea.garcia@gmail.com> wrote:
> Hi,
>
> I'm puzzled trying to understand the following behavior, appreciate it
> if you can help me to understand better how this works.
>
> The setup is like this: Client --- Router --- Server
>
> - Router DNATs to a Virtual IP and Port of the Server.
> - Client establishes a permanent connection to the Virtual IP.
> - Router adds a REJECT rule in the FORWARD hook for the Server IP
>
> I expect the REJECT to match the established connection, but the
> client keeps reaching the Server using the existing connection.
>
> The packets of the established connection do not show up on the traces
> using nftrace.
>
> Is it possible to "DROP/REJECT" the established connection ?
If I understand correctly, if you want to terminate a TCP conn with iptables, you can:
iptables -N disconn
iptables -A disconn -p tcp -m state --state ESTABLISHED \
-j REJECT --reject-with tcp-reset
iptables -A disconn -j REJECT --reject-with icmp-admin-prohibited
If your other rules determine that a conn should be shut down, they should jump to chain 'disconn' which will immediately reset the the sender's end if it's a TCP conn and cause all other packets for that conn from that end to be rejected. Each end must send a TCP packet on that conn for it to be fully reset.
I've used this on my F/W for timed access. The 'instant' time moves into a prohibited span, all active connections for affected IPs are immediately shut down and blocked; not one more of their packets crosses the F/W. I also use it for blocklists.
I expect nftables has similar functionality.
Neal
next prev parent reply other threads:[~2025-03-12 0:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-11 23:56 netfilter expected behavior for established connections Antonio Ojea
2025-03-12 0:30 ` imnozi [this message]
2025-03-12 7:11 ` Florian Westphal
2025-03-12 10:55 ` Antonio Ojea
2025-03-12 12:51 ` Florian Westphal
2025-03-12 13:04 ` Antonio Ojea
2025-03-12 14:17 ` Antonio Ojea
2025-03-12 14:25 ` Florian Westphal
2025-03-12 16:13 ` Florian Westphal
2025-03-12 18:02 ` Antonio Ojea
2025-03-12 18:20 ` Florian Westphal
2025-03-12 18:29 ` Antonio Ojea
2025-03-13 23:23 ` Antonio Ojea
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250311203048.5c275524@playground \
--to=imnozi@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.