[olug] How can I sever IPtables established connections for only certain IPs?

Lou Duchez lou at paprikash.com
Tue May 23 11:01:56 CDT 2023 

... even more efficiency: what happens if, ten minutes after you disable 
the IPs, you switch to a third ruleset where the IPs are disabled AFTER 
the "established,related" line? So hopefully all those established 
connections will have been broken in those ten minutes, and then you can 
go back to the efficiency of putting "established,related" first.

Side note, I switched to nftables a couple years ago, and I've been very 
happy with it. There's a learning curve, but it's not that terrible. I 
don't know that there's any advantage for your particular scenario, but 
it seems to be what they want us to use instead of iptables, and so it 
feels like bowing to the inevitable.

On 5/23/2023 11:18 AM, Lou Duchez wrote:
> Put in the rules to disable the IPs before the "established,related" 
> line? Normally you want the "established,related" as the first thing 
> for efficiency's sake, but if you have to put a couple rules before 
> that, you have to.
>
> On 5/23/2023 10:42 AM, Ben Hollingsworth wrote:
>> I have a somewhat complex IPtables setup (configured via fwbuilder) 
>> that protects my home network. My firewall box runs Ubuntu server 
>> 20.04. At a certain hour each night, I block a handful of IPs that 
>> belong to my children's devices so that they can't use them all 
>> night. I do this by keeping two separate IPtables configs and using 
>> cron to install the appropriate one at the appropriate time.
>>
>> This works fine for blocking new connections, but I've found that any 
>> connections that happen to be open when the new config is loaded will 
>> continue to stay open. My kids have figured that out as well.
>>
>> The problem comes from this line, which exists in both configs, and 
>> keeps related connections open across my reload:
>>
>> $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j 
>> ACCEPT
>>
>> Is there any way that I can turn off connection tracking for only 
>> certain IPs? I'd really rather that open connections for authorized 
>> IPs not get interrupted, but I can live with that if I must.
>>
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list