What's new

Effect of Firewall/Network Service Filter

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

gds

Occasional Visitor
As a quick experiment I want the router to block connections to imap server remote port 993. I can do this with the Firewall/Network Service Filter by adding destination port 993 and protocol TCP to the table at the bottom and enabling it as a blacklist. This adds a new rule to the FORWARD chain when I check with the command:
Code:
# iptables -S
:
-A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j logaccept
-A FORWARD -i br0 -o eth0 -p tcp -m tcp --dport 993 -j DROP   <---- new rule
-A FORWARD -i br0 -o eth0 -j logaccept
-A FORWARD -m conntrack --ctstate DNAT -j logaccept
-A FORWARD -i br0 -j ACCEPT
:

When this rule is added with the apply button, connections to the remote imap server at port 993 are active. This rule does not seem to cause these active connections to close automatically. The email client keeps its connection to port 993 and data is transferred (e.g., emails upload from imap server). But when the email client is closed or if the router is rebooted the connection cannot be re-established because of this rule and port 993 connections fails. I was expecting the apply button and the presence of this new rule to immediately cause a TCP disconnect. (This is probably more a general iptables question than router specfic, but thought I'd ask.)
 
The ESTABLISHED rule is higher on the list, so established connection are already accepted by that rule.
 
Run the rule with -I to insert to beginning of table
This makes it the first rule of the FORWARD chain ahead the ESTABLISHED rule. It still only prevents new connection to 993. It doesn't cause existing connections to start dropping data directed to port 993.
 
This makes it the first rule of the FORWARD chain ahead the ESTABLISHED rule. It still only prevents new connection to 993. It doesn't cause existing connections to start dropping data directed to port 993.

IPTables can't drop an existing connection. The connection will first have to time out, but once the rule is inserted it will prevent new connections matching said rule. You can see if a connection is still established in the UI under "System Log - Connections"
 
IPTables can't drop an existing connection. The connection will first have to time out, but once the rule is inserted it will prevent new connections matching said rule. You can see if a connection is still established in the UI under "System Log - Connections"

I don't expect it to drop the connection. I expected it to drop the data sent to imap server port 993. So the client would timeout waiting for a response and eventually timeout and drop the connection. That's what happens when I put a similar rule on the OUTPUT chain of the email client linux system. I appears that the FORWARD chain doesn't quite work like that. So no matter where I put the rule in the FORWARD chain on the router it doesn't drop the data for an existing connection. Yes, it does stop new connections to port 993 on remote imap server.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top