[olug] How can I sever IPtables established connections for only certain IPs?
Lou Duchez
lou at paprikash.com
Tue May 23 10:18:59 CDT 2023
Put in the rules to disable the IPs before the "established,related"
line? Normally you want the "established,related" as the first thing for
efficiency's sake, but if you have to put a couple rules before that,
you have to.
On 5/23/2023 10:42 AM, Ben Hollingsworth wrote:
> I have a somewhat complex IPtables setup (configured via fwbuilder)
> that protects my home network. My firewall box runs Ubuntu server
> 20.04. At a certain hour each night, I block a handful of IPs that
> belong to my children's devices so that they can't use them all night.
> I do this by keeping two separate IPtables configs and using cron to
> install the appropriate one at the appropriate time.
>
> This works fine for blocking new connections, but I've found that any
> connections that happen to be open when the new config is loaded will
> continue to stay open. My kids have figured that out as well.
>
> The problem comes from this line, which exists in both configs, and
> keeps related connections open across my reload:
>
> $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
>
> Is there any way that I can turn off connection tracking for only
> certain IPs? I'd really rather that open connections for authorized
> IPs not get interrupted, but I can live with that if I must.
>
More information about the OLUG
mailing list