Hi, I have a requirement to REJECT packets for some connections in an INVALID conntrack state. I can't quite figure out how to do this...
What I can do: - echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose - now I can see these packets in "SECTION INVALID" in shorewall However, I am nervous of changing the default _loose setting as I have a complete multi-gateway setup WITH vpns and I suspect there are some hidden effects I haven't thought of. How can I REJECT packets without an established conntrack entry, *without* changing the default nf_conntrack_tcp_loose? Consulting the diagram here: https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg I suspect I need to match in pre-routing or earlier? Could someone help me with a sample to achieve: REJECT loc ppp0 tcp --ctstate invalid Note, I'm aware that it's not possible/sensible to try and REJECT anything other than TCP connections. The bigger picture is that I need to kill some network connections when my internet gateway goes up/down (or the clients get into a stuck state) and I can't find a way of doing this other than removing the conntrack entries and sticking a REJECT rule in to catch the case. (If anyone has other ideas on how one can send RST packets to force the connection to reset I'm all ears? RST would be coming from the box doing NAT on the connection, so in theory the box knows everything about sequence numbers, etc) ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
