0

I want to ban already established connections.

Default iptables rules generated by firewalld

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct

How to insert rule before -j ACCEPT ?

Or how to move INPUT_direct to top?

Or how to remove conntrack rule?

eri
  • 294
  • 2
  • 5
  • 17

2 Answers2

1

You can insert an iptables rule with iptables -I parameter So if you specify iptables -I INPUT -j INPUT_direct this rule will be inserted to to top.

If you specify it with a row numer: iptables -I INPUT 2 -j INPUT_direct it will be inserted as rule in line 2.

In order to move the rule:

  1. Delete it first: iptables -D INPUT -j INPUT_direct
  2. Insert it to the top iptables -I INPUT -j INPUT_direct
basekat
  • 456
  • 2
  • 5
  • Firewalld removes it after reload – eri Feb 23 '21 at 16:00
  • The order of the rules is correct. First all packet with state ESTABLISHED, RELATED will be allowed, then internal trafic to lo interface and then ports which you would like to open will go in the INPUT_direct chain. – basekat Feb 23 '21 at 16:03
  • i want to ban already ESTABLISHED connections – eri Feb 23 '21 at 16:04
  • 1
    This has nothing to do with your original question. In order to further help you, could you elaborate why would you would like to do this? – basekat Feb 23 '21 at 16:09
  • I have bruteforce attack on udp service (SIP). UDP has no connections by design, but added to conntrack table. – eri Feb 23 '21 at 16:17
  • I would do: iptables -I INPUT -p udp --dport 5060(for SIP) -j DROP . The purpose of the mangle table is not packet filtering. – basekat Feb 23 '21 at 16:19
  • Question about firewalld - iptables rules will be flushed at restart! – eri Feb 23 '21 at 16:35
  • for DROP i can change table to raw, but i want to be able use REJECT too – eri Feb 23 '21 at 16:36
0

As workaround I inserted rule in raw (or mangle) table:

firewall-cmd --direct --add-rule ipv4 mangle PREROUTING_direct 0 \
  -m set --match-set ipsetname src -j DROP

This chain is before INPUT and as i have no FORWARD on this machine - it solves my problem.

eri
  • 294
  • 2
  • 5
  • 17