How to drop existing connections

How to drop existing connections

[Vitaly]

I'd like to kill all existing connections to the
specific IP/port. What is the simpliest way to do
this?

Thanks,
Vitaly


      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com

Re: How to drop existing connections

[Karim Asif]

Using iptables?
just add a drop rule having src/dest ip addressess and ports and protocol on
top of other rules.

----- Original Message ----- 
From: "Vitaly" <vitaly_il@yahoo.com>
To: <netfilter@vger.kernel.org>
Sent: Monday, April 07, 2008 11:30 AM
Subject: How to drop existing connections


> I'd like to kill all existing connections to the
> specific IP/port. What is the simpliest way to do
> this?
>
> Thanks,
> Vitaly
>
>
> 
> ____________________________________________________________________________________
> You rock. That's why Blockbuster's offering you one month of Blockbuster 
> Total Access, No Cost.
> http://tc.deals.yahoo.com/tc/blockbuster/text5.com
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html 

Re: How to drop existing connections

[Vitaly]

--- Karim Asif <karimas@kfupm.edu.sa> wrote:

> Using iptables?
> just add a drop rule having src/dest ip addressess
> and ports and protocol on
> top of other rules.

Probably I wasn't clear - I want to kill existing,
already opened connection. 
Now, after reading some articles/threads, it seems
that only utils like tcpkill, cutter can do this...

> 
> ----- Original Message ----- 
> From: "Vitaly" <vitaly_il@yahoo.com>
> To: <netfilter@vger.kernel.org>
> Sent: Monday, April 07, 2008 11:30 AM
> Subject: How to drop existing connections
> 
> 
> > I'd like to kill all existing connections to the
> > specific IP/port. What is the simpliest way to do
> > this?
> >
> > Thanks,
> > Vitaly
> >
> >
> > 
> >
>
____________________________________________________________________________________
> > You rock. That's why Blockbuster's offering you
> one month of Blockbuster 
> > Total Access, No Cost.
> > http://tc.deals.yahoo.com/tc/blockbuster/text5.com
> > --
> > To unsubscribe from this list: send the line
> "unsubscribe netfilter" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at 
> http://vger.kernel.org/majordomo-info.html 
> 
> 



      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com

Re: How to drop existing connections

[Покотиленко Костик]

В Пнд, 07/04/2008 в 02:05 -0700, Vitaly пишет:
> --- Karim Asif <karimas@kfupm.edu.sa> wrote:
> 
> > Using iptables?
> > just add a drop rule having src/dest ip addressess
> > and ports and protocol on
> > top of other rules.
> 
> Probably I wasn't clear - I want to kill existing,
> already opened connection. 
> Now, after reading some articles/threads, it seems
> that only utils like tcpkill, cutter can do this...

You can use conntrack utility to remove conntrack entry, if you also
drop INVALID packets with iptables this will let you kill connection.

> > 
> > ----- Original Message ----- 
> > From: "Vitaly" <vitaly_il@yahoo.com>
> > To: <netfilter@vger.kernel.org>
> > Sent: Monday, April 07, 2008 11:30 AM
> > Subject: How to drop existing connections
> > 
> > 
> > > I'd like to kill all existing connections to the
> > > specific IP/port. What is the simpliest way to do
> > > this?
> > >
> > > Thanks,
> > > Vitaly
> > >
> > >
> > > 
> > >
> >
> ____________________________________________________________________________________
> > > You rock. That's why Blockbuster's offering you
> > one month of Blockbuster 
> > > Total Access, No Cost.
> > > http://tc.deals.yahoo.com/tc/blockbuster/text5.com
> > > --
> > > To unsubscribe from this list: send the line
> > "unsubscribe netfilter" in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at 
> > http://vger.kernel.org/majordomo-info.html 
> > 
> > 
> 
> 
> 
>       ____________________________________________________________________________________
> You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
> http://tc.deals.yahoo.com/tc/blockbuster/text5.com
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 
Покотиленко Костик <casper@meteor.dp.ua>

Re: How to drop existing connections

[Jan Engelhardt]

On Monday 2008-04-07 11:28, Покотиленко Костик wrote:
>> > Using iptables?
>> > just add a drop rule having src/dest ip addressess
>> > and ports and protocol on
>> > top of other rules.
>> 
>> Probably I wasn't clear - I want to kill existing,
>> already opened connection. 
>> Now, after reading some articles/threads, it seems
>> that only utils like tcpkill, cutter can do this...
>
>You can use conntrack utility to remove conntrack entry,

This only removes the conntrack entry of course, and
does not induce a TCP reset.

>if you also
>drop INVALID packets with iptables this will let you kill connection.

When more packets come in, the 'connection' will go NEW, not INVALID.

Re: How to drop existing connections

[Jan Engelhardt]

On Monday 2008-04-07 12:08, Покотиленко Костик wrote:

>В Пнд, 07/04/2008 в 11:39 +0200, Jan Engelhardt пишет:
>> >
>> >You can use conntrack utility to remove conntrack entry,
>> 
>> This only removes the conntrack entry of course, and
>> does not induce a TCP reset.
>> 
>> >if you also
>> >drop INVALID packets with iptables this will let you kill connection.
>> 
>> When more packets come in, the 'connection' will go NEW, not INVALID.
>
>Maybe, I remember reading this solution somewhere.

This solution requires that you only accept NEW connections
that have SYN set. Something like

  -m conntrack --ctstate ESTABLISHED -j ACCEPT
  -p tcp --syn -m conntrack --ctstatus NEW -j ACCEPT
  -p udp -m conntrack --ctstatus NEW -j ACCEPT
  -p tcp -j REJECT --reject-with tcp-reset
  -j REJECT

yes, that is indeed a good idea to do a tcpkill on connections
using conntrack :-)

Re: How to drop existing connections

[Покотиленко Костик]

В Пнд, 07/04/2008 в 13:11 +0200, Jan Engelhardt пишет:
> On Monday 2008-04-07 12:08, Покотиленко Костик wrote:
> 
> >В Пнд, 07/04/2008 в 11:39 +0200, Jan Engelhardt пишет:
> >> >
> >> >You can use conntrack utility to remove conntrack entry,
> >> 
> >> This only removes the conntrack entry of course, and
> >> does not induce a TCP reset.
> >> 
> >> >if you also
> >> >drop INVALID packets with iptables this will let you kill connection.
> >> 
> >> When more packets come in, the 'connection' will go NEW, not INVALID.
> >
> >Maybe, I remember reading this solution somewhere.
> 
> This solution requires that you only accept NEW connections
> that have SYN set. Something like
> 
>   -m conntrack --ctstate ESTABLISHED -j ACCEPT
>   -p tcp --syn -m conntrack --ctstatus NEW -j ACCEPT
>   -p udp -m conntrack --ctstatus NEW -j ACCEPT
>   -p tcp -j REJECT --reject-with tcp-reset
>   -j REJECT
> 
> yes, that is indeed a good idea to do a tcpkill on connections
> using conntrack :-)

That is it.

-- 
Покотиленко Костик <casper@meteor.dp.ua>