Scenario: I wrote
iptables rules for a host where a DPI engine is watching Netfilter queues: firewall rules enqueue traffic incoming to this host into different Netfilter queues depending on whether traffic is coming from a certain
ipset of mine.
FORWARD chain, all connections are enqueued in different
NFQUEUES: DPI engine is watching in userspace queues the packets sent by iptables, if a forbidden connection is observed it marks the packet with a special value; DPI engine reinsert forbidden packets in the stack; in the
POSTROUTING chain I check if connections are marked with that special value, if so I
It is all working fine, but…
Problem: the DPI engine is fine, but not perfect: sometimes,
- traffic that should be identified as forbidden is not identified as such and therefore it is not blocked;
- forbidden traffic is blocked but not immediately, and a forbidden connection in the meanwhile may open another connection (
RELATED, according to the conntrack machine) that is not marked as forbidden, but I’d like to block the related connection as well.
The second case is the one where I want to take action: as an example for case 2, imagine that DPI engine wants to block YouTube but he’s not managing to do it rapidly; it lets YouTube connection to open another connection which is labeled as SSL from DPI engine; DPI engine finally blocks YouTube, but the SSL connection is wild and free to go; I can’t tell the DPI engine to block SSL connections, regardless of what connections did open them.
Considerations: as explained in Scenario, packets coming in
POSTROUTING chain may be marked with 0 (which is the default value, so DPI engine took no action) or with that special value (DPI engine saw a forbidden connection and marked it): a simple
iptables -t mangle -A POSTROUTING -m mark --mark DROPVALUE -j DROP
is almost always enough, but in Problem section I wrote that connections RELATED to the forbidden ones but are not seen as such by DPI engine, because even if they were created by a forbidden connection, its protocol is not blacklisted and because of this they are not seen as forbidden.
This is right because I can’t blacklist
I need to block connections
RELATED to forbidden ones:
ESTABLISHED (if I understood well) do not refer to particular connections but I need to refer to forbidden connections.
Question: is it possible to drop connections
RELATED to connections to drop (or already dropped) in
Or some hack with
conntrack is necessary?
Thanks in advance for any suggestion.
RELATED. This is not used for every connection that a single address might make. It is used only for actually related data, such as the FTP data stream associated with an FTP control connection, or ICMP error messages associated with an open connection. There are very few such connections that will actually match
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.