Pokotilenko Kostik wrote :
When the client disconnects, the rules are deleted and new connection
are being rejected. But the problem is that existant DNAT'ed connection
are continue to operate.
That's the normal behaviour of NAT.
That has raised a question: How to kill DNAT'ed connection?
Just like any other connection : with DROP or REJECT.
And delete that DROP/REJECT when inserting DNAT rules again?
Hmm... not exactly.
Always keep in mind that the default should be DROP/REJECT.
The right way is to create the necessary ACCEPT rules to allow traffic
when the client is authorized, and to delete them when it is not any more.
Here you have a special and maybe uncommon difficulty : you want to
reject an already established connection. So you cannot keep the usual
catch-all ESTABLISHED,RELATED rules on top of the chains, as explained
by Marco. You need to separate the processing of permanently allowed
connections and dynamically authorized ones.
I just thought there is more beautifull solution...
That's not what I would call "beautiful", but if your box has a very
recent 2.6 kernel you can watch the "conntrack" userspace tool
(http://www.netfilter.org/projects/conntrack/index.html) which is
designed to manipulate the connection tracking state table. I read in
the Netfilter list that it was able to delete a connection entry.
There are also tools designed to kill established connections by sending
a proper TCP RST or ICMP Destination Unreachable packet to both ends.
When the connection tracking sees these packets it also cleans the
contrack table. But I don't remember the names.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
