OK, so I made an action as follows:
INLINE(CONTINUE) - - tcp ; -m conntrack
--ctstate UNTRACKED
CONTINUE - - tcp:syn
REJECT:info:DeadConn - - tcp
Anyone have any comments? I run this from the "NEW" section of my rules
file, so I have avoided touching anything "UNTRACKED", but I can't see
any reason why I would ever see an "ESTABLISHED" connection here?
Is there a neater way to write this? Something builtin?
It does seem to mostly solve my problem. When a PPP interface goes down
I can selectively drop conntracks relating to that interface and
although there is a pause until the connection sends more packets, it
does force the connection down and prevent the user sitting with a
stale/stuck connection
Any other suggestions?
Thanks
Ed W
On 30/10/2015 16:54, Ed W wrote:
Hmm, I get some clues here:
http://linuxgazette.net/175/brownss.html
So I need to translate
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --syn -j ACCEPT
iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
into shorewall syntax. Any suggestions?
Do I need to use inline() to do the above?
Ed
On 30/10/2015 16:26, Ed W wrote:
Hi,
I have a requirement to REJECT packets for some connections in an
INVALID conntrack state. I can't quite figure out how to do this...
What I can do:
- echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
- now I can see these packets in "SECTION INVALID" in shorewall
However, I am nervous of changing the default _loose setting as I
have a complete multi-gateway setup WITH vpns and I suspect there are
some hidden effects I haven't thought of.
How can I REJECT packets without an established conntrack entry,
*without* changing the default nf_conntrack_tcp_loose? Consulting the
diagram here:
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
I suspect I need to match in pre-routing or earlier?
Could someone help me with a sample to achieve:
REJECT loc ppp0 tcp --ctstate invalid
Note, I'm aware that it's not possible/sensible to try and REJECT
anything other than TCP connections. The bigger picture is that I
need to kill some network connections when my internet gateway goes
up/down (or the clients get into a stuck state) and I can't find a
way of doing this other than removing the conntrack entries and
sticking a REJECT rule in to catch the case.
(If anyone has other ideas on how one can send RST packets to force
the connection to reset I'm all ears? RST would be coming from the
box doing NAT on the connection, so in theory the box knows
everything about sequence numbers, etc)
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
