Pokotilenko Kostik wrote :
When the client disconnects, the rules are deleted and new connection are being rejected. But the problem is that existant DNAT'ed connection are continue to operate.That's the normal behaviour of NAT.That has raised a question: How to kill DNAT'ed connection?Just like any other connection : with DROP or REJECT.And delete that DROP/REJECT when inserting DNAT rules again?
Hmm... not exactly. Always keep in mind that the default should be DROP/REJECT.The right way is to create the necessary ACCEPT rules to allow traffic when the client is authorized, and to delete them when it is not any more.
Here you have a special and maybe uncommon difficulty : you want to reject an already established connection. So you cannot keep the usual catch-all ESTABLISHED,RELATED rules on top of the chains, as explained by Marco. You need to separate the processing of permanently allowed connections and dynamically authorized ones.
I just thought there is more beautifull solution...
That's not what I would call "beautiful", but if your box has a very recent 2.6 kernel you can watch the "conntrack" userspace tool (http://www.netfilter.org/projects/conntrack/index.html) which is designed to manipulate the connection tracking state table. I read in the Netfilter list that it was able to delete a connection entry.
There are also tools designed to kill established connections by sending a proper TCP RST or ICMP Destination Unreachable packet to both ends. When the connection tracking sees these packets it also cleans the contrack table. But I don't remember the names.