* How to flush the connection state in the linux
@ 2004-12-27 7:26 Vincent
2004-12-27 10:41 ` Andrew Schulman
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Vincent @ 2004-12-27 7:26 UTC (permalink / raw)
To: netfilter
Hello,
Does any one know how to flush the connection state in the linux (Not
flush iptables rule -F).
I used transparent mode in the linux (use brctl to bridge eth & eth1).
When I tried to use iptables to drop some specified packet and it was
fail.
So I doubt there are some established connection state exist in the
linux to pass these
Forbidden connections.
My enviroment
Linux 2.4.25
Iptables 1.2.11
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: How to flush the connection state in the linux 2004-12-27 7:26 How to flush the connection state in the linux Vincent @ 2004-12-27 10:41 ` Andrew Schulman 2004-12-29 2:19 ` Vincent 2004-12-27 16:22 ` Jason Opperisano 2005-01-01 22:08 ` Jose Maria Lopez 2 siblings, 1 reply; 7+ messages in thread From: Andrew Schulman @ 2004-12-27 10:41 UTC (permalink / raw) To: netfilter-wool9L35kiczKOhml7GhPkB+6BGkLq7r > Does any one know how to flush the connection state in the linux (Not > flush iptables rule -F). > I used transparent mode in the linux (use brctl to bridge eth & eth1). > When I tried to use iptables to drop some specified packet and it was > fail. > So I doubt there are some established connection state exist in the > linux to pass these > Forbidden connections. ifdown, then ifup? Brutal, but it should work. ^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: How to flush the connection state in the linux 2004-12-27 10:41 ` Andrew Schulman @ 2004-12-29 2:19 ` Vincent 0 siblings, 0 replies; 7+ messages in thread From: Vincent @ 2004-12-29 2:19 UTC (permalink / raw) To: 'Andrew Schulman', netfilter I execute the following commands on the machine Ifdown eth0 Ifdown eth1 Ifup eth0 Ifup eth1 But the original condition is still existed :( Do you have any other suggestion? Sincerely Vincent > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of > Andrew Schulman > Sent: Monday, December 27, 2004 6:41 PM > To: netfilter@lists.netfilter.org > Subject: Re: How to flush the connection state in the linux > > > > Does any one know how to flush the connection state in the > linux (Not > > flush iptables rule -F). I used transparent mode in the linux (use > > brctl to bridge eth & eth1). When I tried to use iptables > to drop some > > specified packet and it was fail. > > So I doubt there are some established connection state exist in the > > linux to pass these > > Forbidden connections. > > ifdown, then ifup? Brutal, but it should work. > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to flush the connection state in the linux 2004-12-27 7:26 How to flush the connection state in the linux Vincent 2004-12-27 10:41 ` Andrew Schulman @ 2004-12-27 16:22 ` Jason Opperisano 2004-12-29 2:14 ` Vincent 2005-01-01 22:08 ` Jose Maria Lopez 2 siblings, 1 reply; 7+ messages in thread From: Jason Opperisano @ 2004-12-27 16:22 UTC (permalink / raw) To: netfilter On Mon, 2004-12-27 at 02:26, Vincent wrote: > Hello, > > Does any one know how to flush the connection state in the linux (Not > flush iptables rule -F). > I used transparent mode in the linux (use brctl to bridge eth & eth1). > When I tried to use iptables to drop some specified packet and it was > fail. > So I doubt there are some established connection state exist in the > linux to pass these > Forbidden connections. > > My enviroment > Linux 2.4.25 > Iptables 1.2.11 you need to remove the "ip_conntrack" module. in order to do that--you need to remove all the modules that use it (like 'iptable_nat' etc). -j -- "'Nuke the whales?' You don't really believe that, do you? I dunno. Gotta nuke something." --The Simpsons ^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: How to flush the connection state in the linux 2004-12-27 16:22 ` Jason Opperisano @ 2004-12-29 2:14 ` Vincent 2004-12-29 19:52 ` Jason Opperisano 0 siblings, 1 reply; 7+ messages in thread From: Vincent @ 2004-12-29 2:14 UTC (permalink / raw) To: 'Jason Opperisano', netfilter > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of > Jason Opperisano > Sent: Tuesday, December 28, 2004 12:22 AM > To: netfilter@lists.netfilter.org > Subject: Re: How to flush the connection state in the linux > > > On Mon, 2004-12-27 at 02:26, Vincent wrote: > > Hello, > > > > Does any one know how to flush the connection state in the > linux (Not > > flush iptables rule -F). I used transparent mode in the linux (use > > brctl to bridge eth & eth1). When I tried to use iptables > to drop some > > specified packet and it was fail. > > So I doubt there are some established connection state exist in the > > linux to pass these > > Forbidden connections. > > > > My enviroment > > Linux 2.4.25 > > Iptables 1.2.11 > > you need to remove the "ip_conntrack" module. > > in order to do that--you need to remove all the modules that > use it (like 'iptable_nat' etc). Can I remove ip_conntrack in one command? If it can be, how to do it? I try the command "modprobe -r ip_conntrack", but it seems not worked. Besides, I tried to remove ip_conntrack and its dependency module manually. But the forbidden packet is still pass through. Is there any other solution?? Thanks for your assistance Vincent > > -j > > -- > "'Nuke the whales?' You don't really believe that, do you? > I dunno. Gotta nuke something." > --The Simpsons > ^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: How to flush the connection state in the linux 2004-12-29 2:14 ` Vincent @ 2004-12-29 19:52 ` Jason Opperisano 0 siblings, 0 replies; 7+ messages in thread From: Jason Opperisano @ 2004-12-29 19:52 UTC (permalink / raw) To: netfilter On Tue, 2004-12-28 at 21:14, Vincent wrote: > Can I remove ip_conntrack in one command? If it can be, how to do it? > I try the command "modprobe -r ip_conntrack", but it seems not worked. > > Besides, I tried to remove ip_conntrack and its dependency module > manually. > But the forbidden packet is still pass through. Is there any other > solution?? > Thanks for your assistance > > Vincent in order to remove ip_conntrack--you must first remove all the modules that depend on it (the list on the right-hand-side in the lsmod output). in order to remove all those modules; you must also flush any rules that use those modules (ipt_state is a good example of this). the "easiest" way to do this would be to flush out all your rules, remove all modules, reload modules, reload rules; and then you would be starting fresh. something like: iptables-save > ipt.save for t in mangle nat filter; do iptables -t $t -F; done for t in mangle nat filter; do iptables -t $t -X; done rmmod-r.pl ([1] See below) iptables-restore ipt.save HTH... -j [1] rmmod-r.pl ---BEGIN PERL SCRIPT--- #!/usr/bin/perl -w use strict; my $lsmodCmd = "/sbin/lsmod"; my $modprobeCmd = "/sbin/modprobe"; my $unameCmd = `which uname 2>/dev/null`; chomp $unameCmd; my ($kernelVer, $modReg, $modSep, @depMods, $mod); if (-x $unameCmd) { $kernelVer = `$unameCmd -r`; $kernelVer = substr($kernelVer,2,1); } if ($kernelVer != 4 && $kernelVer != 6) { die "Unsupported Kernel Version\n"; } unless (-x $lsmodCmd) {die "Command not found: $lsmodCmd\n";} unless (-x $modprobeCmd) {die "Command not found: $modprobeCmd\n";} if ($kernelVer == 4) { $modReg = qr/^.*\[(.*)\]$/iox; $modSep = " "; } if ($kernelVer == 6) { $modReg = qr/^.*\s\s\d+\s(.*)$/iox; $modSep = ","; } open (MODLIST, "$lsmodCmd | "); while (<MODLIST>) { chomp; if (/^ip_conntrack\s/) { s/$modReg//; @depMods = split(/$modSep/,$1); } } foreach $mod (@depMods) { system("$modprobeCmd -rv $mod"); } close (MODLIST); --- END PERL SCRIPT --- -- "If I wanted smoke blown up my ass, I'd be at home with a pack of cigarettes and a short length of hose." --The Simpsons ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to flush the connection state in the linux 2004-12-27 7:26 How to flush the connection state in the linux Vincent 2004-12-27 10:41 ` Andrew Schulman 2004-12-27 16:22 ` Jason Opperisano @ 2005-01-01 22:08 ` Jose Maria Lopez 2 siblings, 0 replies; 7+ messages in thread From: Jose Maria Lopez @ 2005-01-01 22:08 UTC (permalink / raw) To: netfilter@lists.netfilter.org [-- Attachment #1: Type: text/plain, Size: 1235 bytes --] El lun, 27 de 12 de 2004 a las 08:26, Vincent escribió: > Hello, > > Does any one know how to flush the connection state in the linux (Not > flush iptables rule -F). > I used transparent mode in the linux (use brctl to bridge eth & eth1). > When I tried to use iptables to drop some specified packet and it was > fail. > So I doubt there are some established connection state exist in the > linux to pass these > Forbidden connections. > > My enviroment > Linux 2.4.25 > Iptables 1.2.11 I send attached to this message the script that uses our firewall bastion-firewall to clear the conntrack entries, one by one or everything. Hope it helps. (sorry, the comments are in Spanish, but I think you will see very easily how it works) -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@bgsec.com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road" [-- Attachment #2: bsf_clearconntrack --] [-- Type: text/x-sh, Size: 4292 bytes --] #!/bin/bash ######################################################################### ## bastion-firewall GPL (www.bgsec.com) # ######################################################################### ## Este archivo es parte de la version GPL de bastion-firewall, un # ## firewall completo basado en Netfilter e iptables y desarrollado por # ## bgSEC (www.bgsec.com). La licencia de bastion-firewall se # ## encuentra en el archivo: /etc/bastion-firewall/LICENCIA.txt # ## # ## bastion-firewall es copyright de Jose Maria Lopez Hernandez # ## (jkerouac@bgsec.com) y bgSEC (www.bgsec.com) # ######################################################################### # Quitar todas las conexiones de la tabla de conntrack para una # determinada IP o borrar la tabla completamente. # Forma de usarlo: bsf_clearconntrack [-a] [IP] # Comprobamos que se ha tecleado bien el comando if [ "$#" != "1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then echo echo " Ayuda de bsf_clearconntrack:" echo " bsf_clearconntrack direccionip (xxx.xxx.xxx.xxx)" echo " bsf_clearconntrack -a : Borra todas las entradas de la tabla" echo " bsf_clearconntrack [-h] [--help]: Muestra esta ayuda" echo " Borrar todas la conexiones TCP de la tabla de conntrack para una" echo " direccion IP o borrar la tabla completamente. Se cortan las" echo " sesiones mandando un RST." echo " ES TOTALMENTE NORMAL QUE APAREZCAN ERRORES INDICANDO QUE SE HA" echo " TERMINADO hping2. SE LO EJECUTA Y LUEGO SE LO MATA PARA NO TENER" echo " QUE ESPERAR LAS RESPUESTAS A LOS RESET." echo " SOLO SIRVE PARA TCP." echo echo " Licencia de bastion-firewall en /etc/bastion-firewall/LICENCIA.txt" echo exit 1 fi if [ "$MYTAIL" = "" ]; then source /etc/bastion-firewall/firewall.conf source /usr/lib/bastion-firewall/bsf/functions.bsf fi # Puede cambiar la ubicacion de estos CONNTRACKFILE=/proc/net/ip_conntrack HPING2=$(which hping2 2>/dev/null) if [ "$HPING2" = "" ]; then echo echo " Error: Este programa necesita hping2 para funcionar" echo fi RESETIP=$1 DIDIT=0 if [ "$RESETIP" = "-a" ]; then $MYCAT $CONNTRACKFILE|$MYGREP -E "^tcp .{10,25}ESTABLISHED"| \ while read TMPCONN ; do echo $TMPCONN # Sacamos los datos de cada conexion SRCIP=$(echo $TMPCONN|$MYCUT -d '=' -f 2|$MYCUT -d ' ' -f 1) DSTIP=$(echo $TMPCONN|$MYCUT -d '=' -f 3|$MYCUT -d ' ' -f 1) SRCPORT=$(echo $TMPCONN|$MYCUT -d '=' -f 4|$MYCUT -d ' ' -f 1) DSTPORT=$(echo $TMPCONN|$MYCUT -d '=' -f 5|$MYCUT -d ' ' -f 1) # Mandamos el reset a la IP de destino y al puerto de destino, como si # fueramos la conexion verdadera echo hping2 $DSTIP -R -s $SRCPORT -p $DSTPORT -a $SRCIP -k -c 1 -n hping2 $DSTIP -R -s $SRCPORT -p $DSTPORT -a $SRCIP -k -c 1 -n & usleep 100000 killall -9 hping2 # Mandamos tambien el reset al lado contrario echo hping2 $SRCIP -R -s $DSTPORT -p $SRCPORT -a $DSTIP -k -c 1 -n hping2 $SRCIP -R -s $DSTPORT -p $SRCPORT -a $DSTIP -k -c 1 -n & usleep 100000 killall -9 hping2 done else $MYCAT $CONNTRACKFILE|$MYGREP -E "^tcp .{10,25}ESTABLISHED src=$RESETIP"| \ while read TMPCONN ; do echo $TMPCONN # Sacamos los datos de cada conexion SRCIP=$(echo $TMPCONN|$MYCUT -d '=' -f 2|$MYCUT -d ' ' -f 1) DSTIP=$(echo $TMPCONN|$MYCUT -d '=' -f 3|$MYCUT -d ' ' -f 1) SRCPORT=$(echo $TMPCONN|$MYCUT -d '=' -f 4|$MYCUT -d ' ' -f 1) DSTPORT=$(echo $TMPCONN|$MYCUT -d '=' -f 5|$MYCUT -d ' ' -f 1) # Mandamos el reset a la IP de destino y al puerto de destino, como si # fueramos la conexion verdadera echo hping2 $DSTIP -R -s $SRCPORT -p $DSTPORT -a $SRCIP -k -c 1 -n hping2 $DSTIP -R -s $SRCPORT -p $DSTPORT -a $SRCIP -k -c 1 -n & usleep 100000 killall -9 hping2 # Mandamos tambien el reset al lado contrario echo hping2 $SRCIP -R -s $DSTPORT -p $SRCPORT -a $DSTIP -k -c 1 -n hping2 $SRCIP -R -s $DSTPORT -p $SRCPORT -a $DSTIP -k -c 1 -n & usleep 100000 killall -9 hping2 done fi # bsf_clearconntrack end ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-01-01 22:08 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-12-27 7:26 How to flush the connection state in the linux Vincent 2004-12-27 10:41 ` Andrew Schulman 2004-12-29 2:19 ` Vincent 2004-12-27 16:22 ` Jason Opperisano 2004-12-29 2:14 ` Vincent 2004-12-29 19:52 ` Jason Opperisano 2005-01-01 22:08 ` Jose Maria Lopez
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.