General discussion

Locked

IPTABLES's CONNTRACK & IPSET issues

By ivankob ·
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -A FORWARD -m state NEW --state ESTABLISHED,RELATED -j ACCEPT
Issue 1) #iptables -t mangle -A PREROUTING $match1 -j CONNMARK <mark1>
#iptables -t mangle -A PREROUTING -m connmark --mark $mark1 -j CONMARK $mark2
#iptables -t filter -A FORWARD/INPUT -m connmark --mark $mark2 -j ACCEPT
{ Here me have that the filter condition still blocks packets matching $match1 like "-m connmark --mark $mark1" doesn't trigger. }
Q: Where am me wrong ?

Issue 2) #ipset create SET1 hash:ip
#iptables -t filter -A FORWARD -m state --state NEW -m set --match-set SET1 src -j CONNMARK $mark3
#iptables -t filter -A FORWARD -m connmark --mark $mark3 -j ACCEPT

#ipset add SET1 1.2.3.4
#ipset add SET1 1.2.3.2
{here we have traffic initiated by SET1.* passed }
#ipset delete SET1 1.2.3.4
{ it blocks NEW connection from 1.2.3.4 }

Q: how to block pending Established+Related traffic from 1.2.3.4 as well, without raw-level (beyond IPSET) IPTABLES commands ?

This conversation is currently closed to new comments.

0 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Back to Networks Forum
0 total posts (Page 1 of 1)  

Related Discussions

Related Forums