Scenario: I wrote iptables
rules for a host where a DPI engine is watching Netfilter queues: firewall rules enqueue traffic incoming to this host into different Netfilter queues depending on whether traffic is coming from a certain ipset
of mine.
In the FORWARD
chain, all connections are enqueued in different NFQUEUES
: DPI engine is watching in userspace queues the packets sent by iptables, if a forbidden connection is observed it marks the packet with a special value; DPI engine reinsert forbidden packets in the stack; in the POSTROUTING
chain I check if connections are marked with that special value, if so I DROP
them.
It is all working fine, but...
Problem: the DPI engine is fine, but not perfect: sometimes,
- traffic that should be identified as forbidden is not identified as such and therefore it is not blocked;
- forbidden traffic is blocked but not immediately, and a forbidden connection in the meanwhile may open another connection (
RELATED
, according to the conntrack machine) that is not marked as forbidden, but I'd like to block the related connection as well.
The second case is the one where I want to take action: as an example for case 2, imagine that DPI engine wants to block YouTube but he's not managing to do it rapidly; it lets YouTube connection to open another connection which is labeled as SSL from DPI engine; DPI engine finally blocks YouTube, but the SSL connection is wild and free to go; I can't tell the DPI engine to block SSL connections, regardless of what connections did open them.
Considerations: as explained in Scenario, packets coming in POSTROUTING
chain may be marked with 0 (which is the default value, so DPI engine took no action) or with that special value (DPI engine saw a forbidden connection and marked it): a simple
iptables -t mangle -A POSTROUTING -m mark --mark DROPVALUE -j DROP
is almost always enough, but in Problem section I wrote that connections RELATED to the forbidden ones but are not seen as such by DPI engine, because even if they were created by a forbidden connection, its protocol is not blacklisted and because of this they are not seen as forbidden.
This is right because I can't blacklist SSL
and HTTPS
.
I need to block connections RELATED
to forbidden ones: RELATED
and ESTABLISHED
(if I understood well) do not refer to particular connections but I need to refer to forbidden connections.
Question: is it possible to drop connections RELATED
to connections to drop (or already dropped) in iptables
?
Or some hack with conntrack
is necessary?
Thanks in advance for any suggestion.