-1

Can iptables drop automatically an established output session after certain seconds e.g. 30 sec. since its launch? But I want to restrict it only for destination port 80 and 443. The purpose is to drop unused established tcp connections belonging to some working applications e.g. Chrome, Teamviewer. I tried with recent and limit modules but without success. May be IPTables haven't function to restrict connection by its duration or I don't know something?

I already read some related topics: https://stackoverflow.com/questions/20327518/need-to-drop-established-connections-with-iptables

iptables - dropping specific established connections after X hours

And so on.

Could you help me with some script or application, please? May be there is no way to do it with IPT?

My home table:
Can iptables drop automatically an established output session after certain seconds e.g. 30 sec. since its launch? But I want to restrict it only for destination port 80 and 443. The purpose is to drop unused established tcp connections belonging to some working applications e.g. Chrome, Teamviewer. I tried with recent and limit modules but without success. May be IPTables haven't function to restrict connection by its duration or I don't know something?

I already read some related topics: https://stackoverflow.com/questions/20327518/need-to-drop-established-connections-with-iptables

iptables - dropping specific established connections after X hours

And so on.

Could you help me with some script or application, please? May be there is no way to do it with IPT?

My home table: 

echo Kernel modules
#
modprobe ip_conntrack
modprobe ip_conntrack_ftp
################################################################################
echo Reset iptables
#
iptables -F
iptables -F -t nat
iptables -F -t raw
iptables -F -t mangle
iptables -X
iptables -X -t nat
iptables -X -t raw
iptables -X -t mangle
iptables -Z
iptables -Z -t nat
iptables -Z -t raw
iptables -Z -t mangle
################################################################################
echo Default policy
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
################################################################################
echo Logging INPUT,OUTPUT
#
iptables -A INPUT -j LOG --log-prefix="INPUT chain"
iptables -A OUTPUT -j LOG --log-prefix="OUTPUT chain"
################################################################################   
echo Allow local
#
iptables -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.0/8 -j ACCEPT
################################################################################
echo Allow icmp out
#
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
################################################################################
echo Allow port 53 out
#
iptables -A OUTPUT -p udp --sport 1024:65535 --dport 53 \
-m state --state NEW -j ACCEPT

iptables -A INPUT -p udp --sport 53 --dport 1024:65535 \
-m state --state ESTABLISHED -j ACCEPT
################################################################################
echo Allow ports 20,21 out
#
iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 \
--dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 \
-m multiport --dports 20,1024:65535 \
-m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -m tcp -m multiport --sports 20,21,1024:65535 \
--dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
################################################################################
echo Allow ports 80,443 out
#
iptables -A OUTPUT -p tcp --sport 1024:65535 -m multiport --dports 80,443 \
-m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -m tcp -m multiport --sports 80,443 \
--dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
################################################################################
echo Allow port 123 out
#
iptables -A OUTPUT -p udp -m udp --sport 123 \
--dport 123 -m state --state NEW -j ACCEPT

iptables -A INPUT -p udp -m udp --sport 123 \
--dport 123 -m state --state ESTABLISHED -j ACCEPT
################################################################################
# 
##iptables -A INPUT -j REJECT
##iptables -A FORWARD -j REJECT
##iptables -A OUTPUT -j REJECT
Community
  • 1
My dream of Bulgaria
  • 1
  • 5

1 Answers1

0

No, see: http://linux.die.net/man/8/iptables . There is only this (not what you asked for):

... time

This matches if the packet arrival time/date is within a given range. All options are facultative.

--timestart value Match only if it is after 'value' (Inclusive, format: HH:MM ; default 00:00).

--timestop value Match only if it is before 'value' (Inclusive, format: HH:MM ; default 23:59).

--days listofdays Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)

--datestart date Match only if it is after 'date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 1970)

--datestop date Match only if it is before 'date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 2037)

...

You asked for "duration" and not "time". You could hack something but a fix at Source is fastest and most powerful.

You can Patch the Kernel and recompile it.

See http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html in the Section "conntrack patch", the Command "ctexpire". If you feel comfortable writing a bit of Code and Patching your Kernel with a custom Filter then we can assist (otherwise the answer is "no, you can not do that, there is no such Filter Command").

Rob
  • 320
  • 1
  • 3
  • 9