block + kill connections

block + kill connections

[bright true]

Hello ,

How to block plus kill all currently opened connections from specific ip address

on all ports .

i tryed using :

iptables -I INPUT -s 1.2.3.4 -j DROP

but seems to be it doesn't kill the active connections , it works only for new

incoming connections

any help ?

Thanks

Re: block + kill connections

[/dev/rob0]

On Sunday 2006-January-08 15:44, bright true wrote:
> iptables -I INPUT -s 1.2.3.4 -j DROP
>
> but seems to be it doesn't kill the active connections , it works
> only for new incoming connections

I suspect we have an issue of INPUT vs. FORWARD misunderstanding here. 
See "man iptables" and the description of the filter table and its 
built-in chains.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: block + kill connections

[Robert Nichols]

bright true wrote:
> Hello ,
> 
> How to block plus kill all currently opened connections from specific ip address
> 
> on all ports .
> 
> i tryed using :
> 
> iptables -I INPUT -s 1.2.3.4 -j DROP
> 
> but seems to be it doesn't kill the active connections , it works only for new
> 
> incoming connections

That will prevent communication by blocking any further incoming
packets, but won't do anything to tear down the connection.  See
if something like this works better:

iptables -I INPUT -s 1.2.3.4 -p tcp --tcp-flags ! FIN,RST NONE -j REJECT 
--reject-with tcp-reset

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.

Re: block + kill connections

[/dev/rob0]

On Sunday 2006-January-08 16:04, Robert Nichols wrote:
> > iptables -I INPUT -s 1.2.3.4 -j DROP

> That will prevent communication by blocking any further incoming
> packets, but won't do anything to tear down the connection.  See

Actually it would drop anything with a source address of 1.2.3.4 which 
happens to hit the filter INPUT chain, regardless of protocol or state. 
Perhaps the issue is as I suggested, the packets are hitting FORWARD, 
or simply that a blocked connection has not yet timed out of conntrack 
or netstat listings.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: block + kill connections

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 8 Jan 2006, bright true wrote:

> Hello ,
>
> How to block plus kill all currently opened connections from specific ip address
>
> on all ports .
>
> i tryed using :
>
> iptables -I INPUT -s 1.2.3.4 -j DROP
>
> but seems to be it doesn't kill the active connections , it works only for new
>
> incoming connections
>
> any help ?


kill/killall -9 nasty-app-being-hit/shell-in-use.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDwZzkst+vzJSwZikRArw1AJwMVjPAuF0rs2/6BA1IczVGZ1ZYbwCfV7n6
6XyaVW8aU+dJyplYtDmZAhU=
=7mkJ
-----END PGP SIGNATURE-----

Re: block + kill connections

[/dev/rob0]

On Sunday 2006-January-08 16:18, I wrote:
> On Sunday 2006-January-08 16:04, Robert Nichols wrote:
> > > iptables -I INPUT -s 1.2.3.4 -j DROP
> >
> > That will prevent communication by blocking any further incoming
> > packets, but won't do anything to tear down the connection.  See

Yes, you're right, sorry. I read too quickly. You're saying this:

> ... or simply that a blocked connection has not yet 
> timed out of conntrack or netstat listings.

... and you're right, the REJECT will tell the other end that the 
connection is terminated. But I doubt that the local side will show 
anything different in conntrack or netstat, unless a corresponding 
REJECT rule was used in OUTPUT.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: block + kill connections

[Robert Nichols]

/dev/rob0 wrote:
> On Sunday 2006-January-08 16:18, I wrote:
> 
>>On Sunday 2006-January-08 16:04, Robert Nichols wrote:
>>
>>>>iptables -I INPUT -s 1.2.3.4 -j DROP
>>>
>>>That will prevent communication by blocking any further incoming
>>>packets, but won't do anything to tear down the connection.  See
> 
> 
> Yes, you're right, sorry. I read too quickly. You're saying this:
> 
> 
>>... or simply that a blocked connection has not yet 
>>timed out of conntrack or netstat listings.
> 
> 
> ... and you're right, the REJECT will tell the other end that the 
> connection is terminated. But I doubt that the local side will show 
> anything different in conntrack or netstat, unless a corresponding 
> REJECT rule was used in OUTPUT.

What typically happens is that as soon as the local side transmits
any packet on the half-closed connection, the far end responds with
its own TCP RESET, and the "--tcp-flags ! FIN,RST NONE" matcher in
my suggested rule allows any packet with a RST or FIN flag to get
through.



-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.