# Blocking established connections with iptables.

## agustinchernitsky

Hi everyone,

Is there a way to block established connections with iptables?? I mean the following: from a workstation behind a Gentoo box running NAT with netfilter, open a SSH (or FTP) connection to a remote sever on the Internet. Then on the Gentoo box try to drop that established connection.

I tried with:

 *Quote:*   

> a) iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 22 -j DROP
> 
> b) iptables -t nat -I PREROUTING 1 -i eth0 -s WorkstationIP -j DROP

 

and nothing... the SSH connection comming from inside the LAN still working.

I figure it's something with the conntrack module... can someone tell my why this happens? I have a theory, but if someone wants to share their first... better!

Cheers!

A.

----------

## irwinr

iptables is used to prevent a connection from taking place, if you establish a filter -after- a connection is already established, it will have no affect.

What you need to do, is probably use lsof to determine which process is serving that connection, and then kill it after your iptable filter is setup.

-Jeremy

----------

## tutaepaki

you are using the wrong table. nat/prerouting is not the right place to be filtering traffic. Only the filter table should do this, in your case, the FORWARD chain eg

```
iptables -I FORWARD 1 -p tcp -s <workstationIP> -j DROP
```

You can add whatever extra qualifiers on there for port number etc if you want.

----------

## sschlueter

In case you just want to be able to force a specific connection to be closed, you can use Cutter for this. It's in portage.

----------

## agustinchernitsky

 *tutaepaki wrote:*   

> you are using the wrong table. nat/prerouting is not the right place to be filtering traffic. Only the filter table should do this, in your case, the FORWARD chain eg
> 
> ```
> iptables -I FORWARD 1 -p tcp -s <workstationIP> -j DROP
> ```
> ...

 

Interesting, but shouldn't the PREROUTING table, in the case of packets generated inside the LAN, give you the same results? PREROUTING is the first chain proccessed if you use tha NAT module, or no?

Still, using the FORWARD chain is a good idea... Let me see if it blocks connections there... but according con Jeremy, it shouldn't  :Smile: 

Cheers!

A.

----------

## agustinchernitsky

 *sschlueter wrote:*   

> In case you just want to be able to force a specific connection to be closed, you can use Cutter for this. It's in portage.

 

WOW  :Very Happy: 

A must have tool!!

This is great stuff... thanks!

A.

----------

## agustinchernitsky

 *irwinr wrote:*   

> iptables is used to prevent a connection from taking place, if you establish a filter -after- a connection is already established, it will have no affect.
> 
> What you need to do, is probably use lsof to determine which process is serving that connection, and then kill it after your iptable filter is setup.
> 
> -Jeremy

 

From what I've seen now, It´s the only way... or use the cutter tool suggested by sschlueter.

Still have to try what happens in the forwared chain.  :Cool: 

Thanks J.

Cheers!

----------

## agustinchernitsky

Well,

Jeremy has the key here... Once the connection is established, you can´t trace it / drop it. Even in the forward chain. I logged in the forward chain a SSH session... wich it logged until it was established, then "nada".

So, I think the right tool for controlling established sessions would be "cutter" as suggested by sschlueter.

Thanks everyone for clearing this out!

Cheers!

----------

## sschlueter

It is definitely possible to block any routed packet using iptables, even the ones belonging to an established connection. You can even (ab)use iptables to close an established connection by creating temporary rules that use "-j REJECT --reject-with tcp-reset " instead of "-j DROP". But this approach has disadvantages. See cutter homepage fo details.

----------

## agustinchernitsky

Mmmm... I think if it's already established, you can't block it. Besides, you can't use the REJECT target in the NAT table... at least that's what it says in the man pages.

Remember that I am talking about connections started from the private network, going thru the firewall/NAT. 

If you start a SSH session, from the the firewall server, yes you can block it. But the problem is if the session is started within the LAN.

Cheers!

----------

## sschlueter

Routed packets go through the forward chain of the the filter table. Take a look at the example used at the cutter homepage, it fits your situation.

----------

## tutaepaki

 *agustinchernitsky wrote:*   

> Mmmm... I think if it's already established, you can't block it. Besides, you can't use the REJECT target in the NAT table... at least that's what it says in the man pages.
> 
> Remember that I am talking about connections started from the private network, going thru the firewall/NAT. 
> 
> If you start a SSH session, from the the firewall server, yes you can block it. But the problem is if the session is started within the LAN.
> ...

 

You certainly CAN block any packet whether it's already part of an established connection or not. You just have to make sure you get the iptable entry in the right place, and take into account any potential NAT/PAT you did in the mangle or nat tables.  

One of the iptables tutorials explained why you shouldn't use any tables other than filter to drop packets. Something to do with the way the packets traverse the various tables and chains IIRC.  The NAT table is ONLY consulted for new connections requests, after that a hash lookup is used.

tut.

----------

