As a quick experiment I want the router to block connections to imap server remote port 993. I can do this with the Firewall/Network Service Filter by adding destination port 993 and protocol TCP to the table at the bottom and enabling it as a blacklist. This adds a new rule to the FORWARD chain when I check with the command:
When this rule is added with the apply button, connections to the remote imap server at port 993 are active. This rule does not seem to cause these active connections to close automatically. The email client keeps its connection to port 993 and data is transferred (e.g., emails upload from imap server). But when the email client is closed or if the router is rebooted the connection cannot be re-established because of this rule and port 993 connections fails. I was expecting the apply button and the presence of this new rule to immediately cause a TCP disconnect. (This is probably more a general iptables question than router specfic, but thought I'd ask.)
Code:
# iptables -S
:
-A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j logaccept
-A FORWARD -i br0 -o eth0 -p tcp -m tcp --dport 993 -j DROP <---- new rule
-A FORWARD -i br0 -o eth0 -j logaccept
-A FORWARD -m conntrack --ctstate DNAT -j logaccept
-A FORWARD -i br0 -j ACCEPT
:
When this rule is added with the apply button, connections to the remote imap server at port 993 are active. This rule does not seem to cause these active connections to close automatically. The email client keeps its connection to port 993 and data is transferred (e.g., emails upload from imap server). But when the email client is closed or if the router is rebooted the connection cannot be re-established because of this rule and port 993 connections fails. I was expecting the apply button and the presence of this new rule to immediately cause a TCP disconnect. (This is probably more a general iptables question than router specfic, but thought I'd ask.)