Re: How to drop existing connections - Покотиленко Костик

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "Покотиленко Костик" <casper@meteor.dp.ua>
To: Jan Engelhardt <jengelh@computergmbh.de>, netfilter@vger.kernel.org
Subject: Re: How to drop existing connections
Date: Mon, 07 Apr 2008 14:59:23 +0300	[thread overview]
Message-ID: <1207569563.5879.39.camel@casper.meteor.dp.ua> (raw)
In-Reply-To: <alpine.LNX.1.10.0804071307390.17722@fbirervta.pbzchgretzou.qr>

В Пнд, 07/04/2008 в 13:11 +0200, Jan Engelhardt пишет:
> On Monday 2008-04-07 12:08, Покотиленко Костик wrote:
> 
> >В Пнд, 07/04/2008 в 11:39 +0200, Jan Engelhardt пишет:
> >> >
> >> >You can use conntrack utility to remove conntrack entry,
> >> 
> >> This only removes the conntrack entry of course, and
> >> does not induce a TCP reset.
> >> 
> >> >if you also
> >> >drop INVALID packets with iptables this will let you kill connection.
> >> 
> >> When more packets come in, the 'connection' will go NEW, not INVALID.
> >
> >Maybe, I remember reading this solution somewhere.
> 
> This solution requires that you only accept NEW connections
> that have SYN set. Something like
> 
>   -m conntrack --ctstate ESTABLISHED -j ACCEPT
>   -p tcp --syn -m conntrack --ctstatus NEW -j ACCEPT
>   -p udp -m conntrack --ctstatus NEW -j ACCEPT
>   -p tcp -j REJECT --reject-with tcp-reset
>   -j REJECT
> 
> yes, that is indeed a good idea to do a tcpkill on connections
> using conntrack :-)

That is it.

-- 
Покотиленко Костик <casper@meteor.dp.ua>

     prev parent reply	other threads:[~2008-04-07 11:59 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-07  8:30 How to drop existing connections Vitaly
2008-04-07  8:55 ` Karim Asif
2008-04-07  9:05   ` Vitaly
2008-04-07  9:28     ` Покотиленко Костик
2008-04-07  9:39       ` Jan Engelhardt
     [not found]         ` <1207562913.5879.32.camel@casper.meteor.dp.ua>
2008-04-07 11:11           ` Jan Engelhardt
2008-04-07 11:59             ` Покотиленко Костик [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1207569563.5879.39.camel@casper.meteor.dp.ua \
    --to=casper@meteor.dp.ua \
    --cc=jengelh@computergmbh.de \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox