How to drop connections RELATED to other dropped connections?

elmazzun asked:

Scenario: I wrote iptables rules for a host where a DPI engine is watching Netfilter queues: firewall rules enqueue traffic incoming to this host into different Netfilter queues depending on whether traffic is coming from a certain ipset of mine.

In the FORWARD chain, all connections are enqueued in different NFQUEUES: DPI engine is watching in userspace queues the packets sent by iptables, if a forbidden connection is observed it marks the packet with a special value; DPI engine reinsert forbidden packets in the stack; in the POSTROUTING chain I check if connections are marked with that special value, if so I DROP them.

It is all working fine, but…

Problem: the DPI engine is fine, but not perfect: sometimes,

  1. traffic that should be identified as forbidden is not identified as such and therefore it is not blocked;
  2. forbidden traffic is blocked but not immediately, and a forbidden connection in the meanwhile may open another connection (RELATED, according to the conntrack machine) that is not marked as forbidden, but I’d like to block the related connection as well.

The second case is the one where I want to take action: as an example for case 2, imagine that DPI engine wants to block YouTube but he’s not managing to do it rapidly; it lets YouTube connection to open another connection which is labeled as SSL from DPI engine; DPI engine finally blocks YouTube, but the SSL connection is wild and free to go; I can’t tell the DPI engine to block SSL connections, regardless of what connections did open them.

Considerations: as explained in Scenario, packets coming in POSTROUTING chain may be marked with 0 (which is the default value, so DPI engine took no action) or with that special value (DPI engine saw a forbidden connection and marked it): a simple

iptables -t mangle -A POSTROUTING -m mark --mark DROPVALUE -j DROP

is almost always enough, but in Problem section I wrote that connections RELATED to the forbidden ones but are not seen as such by DPI engine, because even if they were created by a forbidden connection, its protocol is not blacklisted and because of this they are not seen as forbidden.
This is right because I can’t blacklist SSL and HTTPS.

I need to block connections RELATED to forbidden ones: RELATED and ESTABLISHED (if I understood well) do not refer to particular connections but I need to refer to forbidden connections.

Question: is it possible to drop connections RELATED to connections to drop (or already dropped) in iptables?
Or some hack with conntrack is necessary?

Thanks in advance for any suggestion.

My answer:

You misunderstand RELATED. This is not used for every connection that a single address might make. It is used only for actually related data, such as the FTP data stream associated with an FTP control connection, or ICMP error messages associated with an open connection. There are very few such connections that will actually match RELATED.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.