On Wed, 12 Mar 2025 00:56:48 +0100
Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx> wrote:
> Hi,
>
> I'm puzzled trying to understand the following behavior, appreciate it
> if you can help me to understand better how this works.
>
> The setup is like this: Client --- Router --- Server
>
> - Router DNATs to a Virtual IP and Port of the Server.
> - Client establishes a permanent connection to the Virtual IP.
> - Router adds a REJECT rule in the FORWARD hook for the Server IP
>
> I expect the REJECT to match the established connection, but the
> client keeps reaching the Server using the existing connection.
>
> The packets of the established connection do not show up on the traces
> using nftrace.
>
> Is it possible to "DROP/REJECT" the established connection ?
If I understand correctly, if you want to terminate a TCP conn with iptables, you can:
iptables -N disconn
iptables -A disconn -p tcp -m state --state ESTABLISHED \
-j REJECT --reject-with tcp-reset
iptables -A disconn -j REJECT --reject-with icmp-admin-prohibited
If your other rules determine that a conn should be shut down, they should jump to chain 'disconn' which will immediately reset the the sender's end if it's a TCP conn and cause all other packets for that conn from that end to be rejected. Each end must send a TCP packet on that conn for it to be fully reset.
I've used this on my F/W for timed access. The 'instant' time moves into a prohibited span, all active connections for affected IPs are immediately shut down and blocked; not one more of their packets crosses the F/W. I also use it for blocklists.
I expect nftables has similar functionality.
Neal
