[olug] How can I sever IPtables established connections for only certain IPs?
Ben Hollingsworth
obiwan at jedi.com
Tue May 23 09:42:30 CDT 2023
I have a somewhat complex IPtables setup (configured via fwbuilder) that
protects my home network. My firewall box runs Ubuntu server 20.04. At a
certain hour each night, I block a handful of IPs that belong to my
children's devices so that they can't use them all night. I do this by
keeping two separate IPtables configs and using cron to install the
appropriate one at the appropriate time.
This works fine for blocking new connections, but I've found that any
connections that happen to be open when the new config is loaded will
continue to stay open. My kids have figured that out as well.
The problem comes from this line, which exists in both configs, and
keeps related connections open across my reload:
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Is there any way that I can turn off connection tracking for only
certain IPs? I'd really rather that open connections for authorized IPs
not get interrupted, but I can live with that if I must.
--
*Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com www.Jedi.com
<http://www.jedi.com>
The stuff of earth competes for the allegiance I owe only to the
Giver of all good things, so if I stand, let me stand on the
promise that You will pull me through. /-- Rich Mullins/
More information about the OLUG
mailing list