When conntrack is active, the iptables stack never sees a fragmented IP packet, only the reassembled one (source), so the -f test never matches.
If I want to block any fragment I could set ipfrag_high_thresh or
ipfrag_time to 0 (source), but that would drop any kind of fragment. Is there anything I can do if I want to drop fragments of a certain IP protocol?
I see two ways to achieve your goal, depending on your needs.
You can let reassembly run its course, then, after successful reassembly, drop the whole packet. This works only if the reassembled packet is over the interface MTU (otherwise you won't be able to distinguish between reassembled and “normal” packets). If the packets can’t be successfully reassembled they’ll get dropped anyway, but with a larger CPU overhead.
The other way is to modify the source, and make nf_defrag_ipv4 ignore packets from the protocol(s) you want to handle directly. A quick glance suggests this should work, since there's already an option (IP_NODEFRAG) available for RAW sockets that lets you bypass the reassembly code.
To be honest, I too would love to have more control over this part of the filtering, so I’ll try to get a patch in to remedy the situation.
I wonder if you can use the netfilter "raw" table, which comes before most of the connection tracking hooks. It has a "NOTRACK" target you can use to exempt certain packets from conntrack, or perhaps the -f condition itself would work with --table raw.
