input rule for "related" UDP traffic

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Holzwarth Dominique <Dominique.Holzwarth@haslerrail.com>
To: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: input rule for "related" UDP traffic
Date: Fri, 7 Jul 2023 05:04:28 +0000	[thread overview]
Message-ID: <VI1PR04MB4463531FF258785208DFD8C78C2DA@VI1PR04MB4463.eurprd04.prod.outlook.com> (raw)

Hello everyone

I have a protocol that does the following:

hostA                                           hostB

IPv4 source address 1                            IPv4 destination address 2
Random UDP source port x         ----------->     well-known UDP port A

Random UDP destination port x <-----------         Random UDP source port y

so basically, it is some kind of "request-reply" protocol where the reply is sent back to the random source port of the request.

I'd like to have an input chain (type filter, hook input) with a default policy that drops everything. Then, I'd like to accept specific services/ports only.
Is it possible to do this for the above scenario?
I obviously cannot add a simple rule based on "daddr" and "dport" as the destination port of the incoming reply is random.
I've tried to do:
ip daddr 10.10.1.100 ct state established,related accept (I also want to restrict the destination address of incoming packets as the system can have multiple networks on the same physical device)

but this a) is not related to the well-known destination port of the request (so not restricted to this specific protocol) and b) doesn't work anyway...

I was thinking if it's possible to tell netfilter that the pair "destination port + source address" of the request is a "connection". So that it maybe links the source port to this connection as well and afterwards, when it sees the source port and source address as destinations it may associate this incoming packet to my connection (and i could tell it to accept incoming packets for this connection).

I hope you can understand what I'm trying to archive and can help me with!

Kind regards
Dominique

                 reply	other threads:[~2023-07-07  5:04 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=VI1PR04MB4463531FF258785208DFD8C78C2DA@VI1PR04MB4463.eurprd04.prod.outlook.com \
    --to=dominique.holzwarth@haslerrail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).