Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been working on a embedded linux router. One of the feature of it is that the user can easily click a button to apply/remove firewall settings on the fly (Full access, email only, web browsing only, no internet etc).
I am having problems when the user runs a program like Skype.
The problem comes into play if he has full access to the internet and logins to Skype. If he then applies a firewall rule to block all outgoing internet traffic then some incoming Skype traffic still goes through. I believe this is because the incoming packets were part of a established connection and therefore get forwarded in the NATing table.
I let the user configure his own rules, but as an example a block all rule would look like this (where eth0 is the internet and eth1 is the lan),
target prot opt in out source destination
REJECT 0 -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Here are two examples of packets that manage to go through,
If my theory is correct and these are all going through because iptables thinks they are established connections. Then is there a way to block these packets without loosing the NAT feature? Obviously a REJECT all or a REJECT established rule will kill all internet traffic.
can you clear the connection tracking data when you put new rules into effect?
How do I do that? I guess if it is possible I will have to do that, might drop some connections I dont want to drop but I would rather drop a connection then keep a invalid one up as this is going to go over dial up services which are not cheap.
Not sure but there is a user-space program called conntrack that lets you manipulate the connection tracking table, that would probably be a good start as I think it lets you drop individual connections so you could target the connections using the port you are closing.
Thanks ugge, however the feature is not really there for security. The feature is more used to control the amount of data as this will hook up to satellite equipment where costs can be as high as $20 per mb.
Would adding a equivelent INPUT drop rule drop established connections? I wouldnt think so as the ports are just dynamics ones so the rules wouldnt match would they?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.