* How to flush the connection state in the linux
@ 2004-12-27 7:26 Vincent
2004-12-27 10:41 ` Andrew Schulman
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Vincent @ 2004-12-27 7:26 UTC (permalink / raw)
To: netfilter
Hello,
Does any one know how to flush the connection state in the linux (Not
flush iptables rule -F).
I used transparent mode in the linux (use brctl to bridge eth & eth1).
When I tried to use iptables to drop some specified packet and it was
fail.
So I doubt there are some established connection state exist in the
linux to pass these
Forbidden connections.
My enviroment
Linux 2.4.25
Iptables 1.2.11
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to flush the connection state in the linux
2004-12-27 7:26 How to flush the connection state in the linux Vincent
@ 2004-12-27 10:41 ` Andrew Schulman
2004-12-29 2:19 ` Vincent
2004-12-27 16:22 ` Jason Opperisano
2005-01-01 22:08 ` Jose Maria Lopez
2 siblings, 1 reply; 7+ messages in thread
From: Andrew Schulman @ 2004-12-27 10:41 UTC (permalink / raw)
To: netfilter-wool9L35kiczKOhml7GhPkB+6BGkLq7r
> Does any one know how to flush the connection state in the linux (Not
> flush iptables rule -F).
> I used transparent mode in the linux (use brctl to bridge eth & eth1).
> When I tried to use iptables to drop some specified packet and it was
> fail.
> So I doubt there are some established connection state exist in the
> linux to pass these
> Forbidden connections.
ifdown, then ifup? Brutal, but it should work.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to flush the connection state in the linux
2004-12-27 7:26 How to flush the connection state in the linux Vincent
2004-12-27 10:41 ` Andrew Schulman
@ 2004-12-27 16:22 ` Jason Opperisano
2004-12-29 2:14 ` Vincent
2005-01-01 22:08 ` Jose Maria Lopez
2 siblings, 1 reply; 7+ messages in thread
From: Jason Opperisano @ 2004-12-27 16:22 UTC (permalink / raw)
To: netfilter
On Mon, 2004-12-27 at 02:26, Vincent wrote:
> Hello,
>
> Does any one know how to flush the connection state in the linux (Not
> flush iptables rule -F).
> I used transparent mode in the linux (use brctl to bridge eth & eth1).
> When I tried to use iptables to drop some specified packet and it was
> fail.
> So I doubt there are some established connection state exist in the
> linux to pass these
> Forbidden connections.
>
> My enviroment
> Linux 2.4.25
> Iptables 1.2.11
you need to remove the "ip_conntrack" module.
in order to do that--you need to remove all the modules that use it
(like 'iptable_nat' etc).
-j
--
"'Nuke the whales?' You don't really believe that, do you?
I dunno. Gotta nuke something."
--The Simpsons
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: How to flush the connection state in the linux
2004-12-27 16:22 ` Jason Opperisano
@ 2004-12-29 2:14 ` Vincent
2004-12-29 19:52 ` Jason Opperisano
0 siblings, 1 reply; 7+ messages in thread
From: Vincent @ 2004-12-29 2:14 UTC (permalink / raw)
To: 'Jason Opperisano', netfilter
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of
> Jason Opperisano
> Sent: Tuesday, December 28, 2004 12:22 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: How to flush the connection state in the linux
>
>
> On Mon, 2004-12-27 at 02:26, Vincent wrote:
> > Hello,
> >
> > Does any one know how to flush the connection state in the
> linux (Not
> > flush iptables rule -F). I used transparent mode in the linux (use
> > brctl to bridge eth & eth1). When I tried to use iptables
> to drop some
> > specified packet and it was fail.
> > So I doubt there are some established connection state exist in the
> > linux to pass these
> > Forbidden connections.
> >
> > My enviroment
> > Linux 2.4.25
> > Iptables 1.2.11
>
> you need to remove the "ip_conntrack" module.
>
> in order to do that--you need to remove all the modules that
> use it (like 'iptable_nat' etc).
Can I remove ip_conntrack in one command? If it can be, how to do it?
I try the command "modprobe -r ip_conntrack", but it seems not worked.
Besides, I tried to remove ip_conntrack and its dependency module
manually.
But the forbidden packet is still pass through. Is there any other
solution??
Thanks for your assistance
Vincent
>
> -j
>
> --
> "'Nuke the whales?' You don't really believe that, do you?
> I dunno. Gotta nuke something."
> --The Simpsons
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: How to flush the connection state in the linux
2004-12-27 10:41 ` Andrew Schulman
@ 2004-12-29 2:19 ` Vincent
0 siblings, 0 replies; 7+ messages in thread
From: Vincent @ 2004-12-29 2:19 UTC (permalink / raw)
To: 'Andrew Schulman', netfilter
I execute the following commands on the machine
Ifdown eth0
Ifdown eth1
Ifup eth0
Ifup eth1
But the original condition is still existed :(
Do you have any other suggestion?
Sincerely
Vincent
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of
> Andrew Schulman
> Sent: Monday, December 27, 2004 6:41 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: How to flush the connection state in the linux
>
>
> > Does any one know how to flush the connection state in the
> linux (Not
> > flush iptables rule -F). I used transparent mode in the linux (use
> > brctl to bridge eth & eth1). When I tried to use iptables
> to drop some
> > specified packet and it was fail.
> > So I doubt there are some established connection state exist in the
> > linux to pass these
> > Forbidden connections.
>
> ifdown, then ifup? Brutal, but it should work.
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: How to flush the connection state in the linux
2004-12-29 2:14 ` Vincent
@ 2004-12-29 19:52 ` Jason Opperisano
0 siblings, 0 replies; 7+ messages in thread
From: Jason Opperisano @ 2004-12-29 19:52 UTC (permalink / raw)
To: netfilter
On Tue, 2004-12-28 at 21:14, Vincent wrote:
> Can I remove ip_conntrack in one command? If it can be, how to do it?
> I try the command "modprobe -r ip_conntrack", but it seems not worked.
>
> Besides, I tried to remove ip_conntrack and its dependency module
> manually.
> But the forbidden packet is still pass through. Is there any other
> solution??
> Thanks for your assistance
>
> Vincent
in order to remove ip_conntrack--you must first remove all the modules
that depend on it (the list on the right-hand-side in the lsmod
output). in order to remove all those modules; you must also flush any
rules that use those modules (ipt_state is a good example of this).
the "easiest" way to do this would be to flush out all your rules,
remove all modules, reload modules, reload rules; and then you would be
starting fresh. something like:
iptables-save > ipt.save
for t in mangle nat filter; do iptables -t $t -F; done
for t in mangle nat filter; do iptables -t $t -X; done
rmmod-r.pl ([1] See below)
iptables-restore ipt.save
HTH...
-j
[1] rmmod-r.pl
---BEGIN PERL SCRIPT---
#!/usr/bin/perl -w
use strict;
my $lsmodCmd = "/sbin/lsmod";
my $modprobeCmd = "/sbin/modprobe";
my $unameCmd = `which uname 2>/dev/null`;
chomp $unameCmd;
my ($kernelVer, $modReg, $modSep, @depMods, $mod);
if (-x $unameCmd) {
$kernelVer = `$unameCmd -r`;
$kernelVer = substr($kernelVer,2,1);
}
if ($kernelVer != 4 && $kernelVer != 6) {
die "Unsupported Kernel Version\n";
}
unless (-x $lsmodCmd) {die "Command not found: $lsmodCmd\n";}
unless (-x $modprobeCmd) {die "Command not found: $modprobeCmd\n";}
if ($kernelVer == 4) {
$modReg = qr/^.*\[(.*)\]$/iox;
$modSep = " ";
}
if ($kernelVer == 6) {
$modReg = qr/^.*\s\s\d+\s(.*)$/iox;
$modSep = ",";
}
open (MODLIST, "$lsmodCmd | ");
while (<MODLIST>) {
chomp;
if (/^ip_conntrack\s/) {
s/$modReg//;
@depMods = split(/$modSep/,$1);
}
}
foreach $mod (@depMods) {
system("$modprobeCmd -rv $mod");
}
close (MODLIST);
--- END PERL SCRIPT ---
--
"If I wanted smoke blown up my ass, I'd be at home with a pack of
cigarettes and a short length of hose."
--The Simpsons
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to flush the connection state in the linux
2004-12-27 7:26 How to flush the connection state in the linux Vincent
2004-12-27 10:41 ` Andrew Schulman
2004-12-27 16:22 ` Jason Opperisano
@ 2005-01-01 22:08 ` Jose Maria Lopez
2 siblings, 0 replies; 7+ messages in thread
From: Jose Maria Lopez @ 2005-01-01 22:08 UTC (permalink / raw)
To: netfilter@lists.netfilter.org
[-- Attachment #1: Type: text/plain, Size: 1235 bytes --]
El lun, 27 de 12 de 2004 a las 08:26, Vincent escribió:
> Hello,
>
> Does any one know how to flush the connection state in the linux (Not
> flush iptables rule -F).
> I used transparent mode in the linux (use brctl to bridge eth & eth1).
> When I tried to use iptables to drop some specified packet and it was
> fail.
> So I doubt there are some established connection state exist in the
> linux to pass these
> Forbidden connections.
>
> My enviroment
> Linux 2.4.25
> Iptables 1.2.11
I send attached to this message the script that uses our firewall
bastion-firewall to clear the conntrack entries, one by one or
everything. Hope it helps.
(sorry, the comments are in Spanish, but I think you will see
very easily how it works)
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
[-- Attachment #2: bsf_clearconntrack --]
[-- Type: text/x-sh, Size: 4292 bytes --]
#!/bin/bash
#########################################################################
## bastion-firewall GPL (www.bgsec.com) #
#########################################################################
## Este archivo es parte de la version GPL de bastion-firewall, un #
## firewall completo basado en Netfilter e iptables y desarrollado por #
## bgSEC (www.bgsec.com). La licencia de bastion-firewall se #
## encuentra en el archivo: /etc/bastion-firewall/LICENCIA.txt #
## #
## bastion-firewall es copyright de Jose Maria Lopez Hernandez #
## (jkerouac@bgsec.com) y bgSEC (www.bgsec.com) #
#########################################################################
# Quitar todas las conexiones de la tabla de conntrack para una
# determinada IP o borrar la tabla completamente.
# Forma de usarlo: bsf_clearconntrack [-a] [IP]
# Comprobamos que se ha tecleado bien el comando
if [ "$#" != "1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
echo
echo " Ayuda de bsf_clearconntrack:"
echo " bsf_clearconntrack direccionip (xxx.xxx.xxx.xxx)"
echo " bsf_clearconntrack -a : Borra todas las entradas de la tabla"
echo " bsf_clearconntrack [-h] [--help]: Muestra esta ayuda"
echo " Borrar todas la conexiones TCP de la tabla de conntrack para una"
echo " direccion IP o borrar la tabla completamente. Se cortan las"
echo " sesiones mandando un RST."
echo " ES TOTALMENTE NORMAL QUE APAREZCAN ERRORES INDICANDO QUE SE HA"
echo " TERMINADO hping2. SE LO EJECUTA Y LUEGO SE LO MATA PARA NO TENER"
echo " QUE ESPERAR LAS RESPUESTAS A LOS RESET."
echo " SOLO SIRVE PARA TCP."
echo
echo " Licencia de bastion-firewall en /etc/bastion-firewall/LICENCIA.txt"
echo
exit 1
fi
if [ "$MYTAIL" = "" ]; then
source /etc/bastion-firewall/firewall.conf
source /usr/lib/bastion-firewall/bsf/functions.bsf
fi
# Puede cambiar la ubicacion de estos
CONNTRACKFILE=/proc/net/ip_conntrack
HPING2=$(which hping2 2>/dev/null)
if [ "$HPING2" = "" ]; then
echo
echo " Error: Este programa necesita hping2 para funcionar"
echo
fi
RESETIP=$1
DIDIT=0
if [ "$RESETIP" = "-a" ]; then
$MYCAT $CONNTRACKFILE|$MYGREP -E "^tcp .{10,25}ESTABLISHED"| \
while read TMPCONN ; do
echo $TMPCONN
# Sacamos los datos de cada conexion
SRCIP=$(echo $TMPCONN|$MYCUT -d '=' -f 2|$MYCUT -d ' ' -f 1)
DSTIP=$(echo $TMPCONN|$MYCUT -d '=' -f 3|$MYCUT -d ' ' -f 1)
SRCPORT=$(echo $TMPCONN|$MYCUT -d '=' -f 4|$MYCUT -d ' ' -f 1)
DSTPORT=$(echo $TMPCONN|$MYCUT -d '=' -f 5|$MYCUT -d ' ' -f 1)
# Mandamos el reset a la IP de destino y al puerto de destino, como si
# fueramos la conexion verdadera
echo hping2 $DSTIP -R -s $SRCPORT -p $DSTPORT -a $SRCIP -k -c 1 -n
hping2 $DSTIP -R -s $SRCPORT -p $DSTPORT -a $SRCIP -k -c 1 -n &
usleep 100000
killall -9 hping2
# Mandamos tambien el reset al lado contrario
echo hping2 $SRCIP -R -s $DSTPORT -p $SRCPORT -a $DSTIP -k -c 1 -n
hping2 $SRCIP -R -s $DSTPORT -p $SRCPORT -a $DSTIP -k -c 1 -n &
usleep 100000
killall -9 hping2
done
else
$MYCAT $CONNTRACKFILE|$MYGREP -E "^tcp .{10,25}ESTABLISHED src=$RESETIP"| \
while read TMPCONN ; do
echo $TMPCONN
# Sacamos los datos de cada conexion
SRCIP=$(echo $TMPCONN|$MYCUT -d '=' -f 2|$MYCUT -d ' ' -f 1)
DSTIP=$(echo $TMPCONN|$MYCUT -d '=' -f 3|$MYCUT -d ' ' -f 1)
SRCPORT=$(echo $TMPCONN|$MYCUT -d '=' -f 4|$MYCUT -d ' ' -f 1)
DSTPORT=$(echo $TMPCONN|$MYCUT -d '=' -f 5|$MYCUT -d ' ' -f 1)
# Mandamos el reset a la IP de destino y al puerto de destino, como si
# fueramos la conexion verdadera
echo hping2 $DSTIP -R -s $SRCPORT -p $DSTPORT -a $SRCIP -k -c 1 -n
hping2 $DSTIP -R -s $SRCPORT -p $DSTPORT -a $SRCIP -k -c 1 -n &
usleep 100000
killall -9 hping2
# Mandamos tambien el reset al lado contrario
echo hping2 $SRCIP -R -s $DSTPORT -p $SRCPORT -a $DSTIP -k -c 1 -n
hping2 $SRCIP -R -s $DSTPORT -p $SRCPORT -a $DSTIP -k -c 1 -n &
usleep 100000
killall -9 hping2
done
fi
# bsf_clearconntrack end
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-01-01 22:08 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-27 7:26 How to flush the connection state in the linux Vincent
2004-12-27 10:41 ` Andrew Schulman
2004-12-29 2:19 ` Vincent
2004-12-27 16:22 ` Jason Opperisano
2004-12-29 2:14 ` Vincent
2004-12-29 19:52 ` Jason Opperisano
2005-01-01 22:08 ` Jose Maria Lopez
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.