State established causing problems
 

Hi,

I have been working on a embedded linux router. One of the feature of it is that the user can easily click a button to apply/remove firewall settings on the fly (Full access, email only, web browsing only, no internet etc).

I am having problems when the user runs a program like Skype.
The problem comes into play if he has full access to the internet and logins to Skype. If he then applies a firewall rule to block all outgoing internet traffic then some incoming Skype traffic still goes through. I believe this is because the incoming packets were part of a established connection and therefore get forwarded in the NATing table.


I let the user configure his own rules, but as an example a block all rule would look like this (where eth0 is the internet and eth1 is the lan),
target prot opt in out source destination
REJECT 0 -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable


Here are two examples of packets that manage to go through,

Nov 19 19:07:49 Mathilda kernel: IN=eth0 OUT=eth1 SRC=86.145.29.27 DST=192.168.1.101 LEN=42 TOS=0x00 PREC=0x00 TTL=104 ID=51142 DF PROTO=TCP SPT=50475 DPT=3364 WINDOW=64134 RES=0x00 ACK PSH URGP=0
Nov 19 19:08:07 Mathilda kernel: IN=eth0 OUT=eth1 SRC=89.252.232.88 DST=192.168.1.101 LEN=42 TOS=0x00 PREC=0x00 TTL=110 ID=15383 DF PROTO=TCP SPT=34783 DPT=3362 WINDOW=64222 RES=0x00 ACK PSH URGP=0


If my theory is correct and these are all going through because iptables thinks they are established connections. Then is there a way to block these packets without loosing the NAT feature? Obviously a REJECT all or a REJECT established rule will kill all internet traffic.


Thanks!

can you clear the connection tracking data when you put new rules into effect?

How do I do that? I guess if it is possible I will have to do that, might drop some connections I dont want to drop but I would rather drop a connection then keep a invalid one up as this is going to go over dial up services which are not cheap.

Not sure but there is a user-space program called conntrack that lets you manipulate the connection tracking table, that would probably be a good start as I think it lets you drop individual connections so you could target the connections using the port you are closing.

The rule you specified only blocks outgoin traffic, so there should be no surprise that it lets traffic trough according to the other rules.

To be able to handle security you will have to write rules for both directions. Only blocking all outgoin traffic is no security.

Thanks ugge, however the feature is not really there for security. The feature is more used to control the amount of data as this will hook up to satellite equipment where costs can be as high as $20 per mb.

Would adding a equivelent INPUT drop rule drop established connections? I wouldnt think so as the ports are just dynamics ones so the rules wouldnt match would they?


Thanks

You could match then interface for incomming and outgoing instead of ip, that way you could shut of immediately.

Just to follow up that the conntrack using -F as a parameters seems to work. Will do more testing later but looks good to start with :)

Thanks!

Several weeks of testing, and conntrack did its thing.