Having tried it, it's rather tricky. The behavior depends on when the
connection is deleted. For example, with
# input rule meant to drop incoming packets
iptables -A INPUT -m conntrack --ctstate NEW -p tcp ! --syn\
-j DROP
and
# output rule to reset connections to the local server
iptables -A OUTPUT -m conntrack --ctstate NEW -p tcp ! --syn\
-j REJECT --reject-with tcp-reset
the connection is most likely deleted after the local server has sent
a reply but before the remote client sends a further commands. In
this case the server will timeout waiting for those dropped input packets.
I tried removing that input rule. That way the relevant packets are
accepted, but server's reply packets in the OUTPUT table are marked
ESTABLISHED again.
I tried using connmark, as in
iptables -A INPUT -m conntrack --ctstate NEW -p tcp ! --syn\
-j CONNMARK --or-mark 8
and
iptables -A OUTPUT -m connmark --mark 8/8 -p tcp ! --syn\
-j REJECT --reject-with tcp-reset
However, the latter rule never matched. Is it the wrong table?
--
BTW, I'v added a request for tcp-reset-both to the wish list
http://bugzilla.netfilter.org/show_bug.cgi?id=696 (I hope I'll still
be alive by the time it lands on debian ;-) For debian users, lenny's
conntrack doesn't work, but v0.9.14 of squeeze does --see
http://marc.info/?l=netfilter&m=127653938407010&w=2 for pinning--
conntrack -D -s 1.2.3.4 works for me despite the bug in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496769 mentions 0.9.15.)
N.B. Despite announce of 15/09/10, I couldn't find conntrack 0.9.15 in
http://conntrack-tools.netfilter.org/downloads.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
