0
I have the following setup:
- PC eth0 connected to GW eth1
- GW eth0 is connected to the internet.
GW has net.ipv4.ip_forward=1
in sysctl.conf
So, when I simply run (in GW):
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PC gains internet access. And when I want to disable it, I just run (in GW):
itpables -t nat -F
My problem is with established connections, they are not cancelled.. Example:
- GW: run
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
- PC: open http://ip-api.com/ in browser
- GW: run
iptables -t nat -F
- PC: refresh browser -> page is refreshed!!
If I try a different page in PC it doesn't work, but due to HTTP Connection: Keep-Alive
functionality, the browser can still use that established connection..
I could simply disable net.ipv4.ip_forward
but I don't want to do that because of the rest of my setup.
So what I would like is to be able to get iptables (or linux NAT modules) to mess up their connection tracking so those connections become invalid or dropped...
Or is it possible to specify in iptables rules if connection established before TIMESTAMP -j DROP
(so I could add that rule before the MASQUERADE)?
There's a utility called 'cutter' IIRC that will RST TCP connections you specify. – LawrenceC – 2016-02-29T01:19:29.047