Hmm, I get some clues here:
http://linuxgazette.net/175/brownss.html
So I need to translate
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --syn -j ACCEPT
iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
into shorewall syntax. Any suggestions?
Do I need to use inline() to do the above?
Ed
On 30/10/2015 16:26, Ed W wrote:
Hi,
I have a requirement to REJECT packets for some connections in an
INVALID conntrack state. I can't quite figure out how to do this...
What I can do:
- echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
- now I can see these packets in "SECTION INVALID" in shorewall
However, I am nervous of changing the default _loose setting as I have
a complete multi-gateway setup WITH vpns and I suspect there are some
hidden effects I haven't thought of.
How can I REJECT packets without an established conntrack entry,
*without* changing the default nf_conntrack_tcp_loose? Consulting the
diagram here:
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
I suspect I need to match in pre-routing or earlier?
Could someone help me with a sample to achieve:
REJECT loc ppp0 tcp --ctstate invalid
Note, I'm aware that it's not possible/sensible to try and REJECT
anything other than TCP connections. The bigger picture is that I
need to kill some network connections when my internet gateway goes
up/down (or the clients get into a stuck state) and I can't find a way
of doing this other than removing the conntrack entries and sticking a
REJECT rule in to catch the case.
(If anyone has other ideas on how one can send RST packets to force
the connection to reset I'm all ears? RST would be coming from the box
doing NAT on the connection, so in theory the box knows everything
about sequence numbers, etc)
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
