How to drop existing connections

Linux Netfilter discussions
 help / color / mirror / Atom feed

* How to drop existing connections
@ 2008-04-07  8:30 Vitaly
  2008-04-07  8:55 ` Karim Asif
  0 siblings, 1 reply; 7+ messages in thread
From: Vitaly @ 2008-04-07  8:30 UTC (permalink / raw)
  To: netfilter

I'd like to kill all existing connections to the
specific IP/port. What is the simpliest way to do
this?

Thanks,
Vitaly


      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: How to drop existing connections
  2008-04-07  8:30 How to drop existing connections Vitaly
@ 2008-04-07  8:55 ` Karim Asif
  2008-04-07  9:05   ` Vitaly
  0 siblings, 1 reply; 7+ messages in thread
From: Karim Asif @ 2008-04-07  8:55 UTC (permalink / raw)
  To: Vitaly, netfilter

Using iptables?
just add a drop rule having src/dest ip addressess and ports and protocol on
top of other rules.

----- Original Message ----- 
From: "Vitaly" <vitaly_il@yahoo.com>
To: <netfilter@vger.kernel.org>
Sent: Monday, April 07, 2008 11:30 AM
Subject: How to drop existing connections


> I'd like to kill all existing connections to the
> specific IP/port. What is the simpliest way to do
> this?
>
> Thanks,
> Vitaly
>
>
> 
> ____________________________________________________________________________________
> You rock. That's why Blockbuster's offering you one month of Blockbuster 
> Total Access, No Cost.
> http://tc.deals.yahoo.com/tc/blockbuster/text5.com
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html 


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: How to drop existing connections
  2008-04-07  8:55 ` Karim Asif
@ 2008-04-07  9:05   ` Vitaly
  2008-04-07  9:28     ` Покотиленко Костик
  0 siblings, 1 reply; 7+ messages in thread
From: Vitaly @ 2008-04-07  9:05 UTC (permalink / raw)
  To: netfilter


--- Karim Asif <karimas@kfupm.edu.sa> wrote:

> Using iptables?
> just add a drop rule having src/dest ip addressess
> and ports and protocol on
> top of other rules.

Probably I wasn't clear - I want to kill existing,
already opened connection. 
Now, after reading some articles/threads, it seems
that only utils like tcpkill, cutter can do this...

> 
> ----- Original Message ----- 
> From: "Vitaly" <vitaly_il@yahoo.com>
> To: <netfilter@vger.kernel.org>
> Sent: Monday, April 07, 2008 11:30 AM
> Subject: How to drop existing connections
> 
> 
> > I'd like to kill all existing connections to the
> > specific IP/port. What is the simpliest way to do
> > this?
> >
> > Thanks,
> > Vitaly
> >
> >
> > 
> >
>
____________________________________________________________________________________
> > You rock. That's why Blockbuster's offering you
> one month of Blockbuster 
> > Total Access, No Cost.
> > http://tc.deals.yahoo.com/tc/blockbuster/text5.com
> > --
> > To unsubscribe from this list: send the line
> "unsubscribe netfilter" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at 
> http://vger.kernel.org/majordomo-info.html 
> 
> 



      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: How to drop existing connections
  2008-04-07  9:05   ` Vitaly
@ 2008-04-07  9:28     ` Покотиленко Костик
  2008-04-07  9:39       ` Jan Engelhardt
  0 siblings, 1 reply; 7+ messages in thread
From: Покотиленко Костик @ 2008-04-07  9:28 UTC (permalink / raw)
  To: Vitaly; +Cc: netfilter

В Пнд, 07/04/2008 в 02:05 -0700, Vitaly пишет:
> --- Karim Asif <karimas@kfupm.edu.sa> wrote:
> 
> > Using iptables?
> > just add a drop rule having src/dest ip addressess
> > and ports and protocol on
> > top of other rules.
> 
> Probably I wasn't clear - I want to kill existing,
> already opened connection. 
> Now, after reading some articles/threads, it seems
> that only utils like tcpkill, cutter can do this...

You can use conntrack utility to remove conntrack entry, if you also
drop INVALID packets with iptables this will let you kill connection.

> > 
> > ----- Original Message ----- 
> > From: "Vitaly" <vitaly_il@yahoo.com>
> > To: <netfilter@vger.kernel.org>
> > Sent: Monday, April 07, 2008 11:30 AM
> > Subject: How to drop existing connections
> > 
> > 
> > > I'd like to kill all existing connections to the
> > > specific IP/port. What is the simpliest way to do
> > > this?
> > >
> > > Thanks,
> > > Vitaly
> > >
> > >
> > > 
> > >
> >
> ____________________________________________________________________________________
> > > You rock. That's why Blockbuster's offering you
> > one month of Blockbuster 
> > > Total Access, No Cost.
> > > http://tc.deals.yahoo.com/tc/blockbuster/text5.com
> > > --
> > > To unsubscribe from this list: send the line
> > "unsubscribe netfilter" in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at 
> > http://vger.kernel.org/majordomo-info.html 
> > 
> > 
> 
> 
> 
>       ____________________________________________________________________________________
> You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
> http://tc.deals.yahoo.com/tc/blockbuster/text5.com
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 
Покотиленко Костик <casper@meteor.dp.ua>


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: How to drop existing connections
  2008-04-07  9:28     ` Покотиленко Костик
@ 2008-04-07  9:39       ` Jan Engelhardt
       [not found]         ` <1207562913.5879.32.camel@casper.meteor.dp.ua>
  0 siblings, 1 reply; 7+ messages in thread
From: Jan Engelhardt @ 2008-04-07  9:39 UTC (permalink / raw)
  To: Покотиленко Костик
  Cc: Vitaly, netfilter


On Monday 2008-04-07 11:28, Покотиленко Костик wrote:
>> > Using iptables?
>> > just add a drop rule having src/dest ip addressess
>> > and ports and protocol on
>> > top of other rules.
>> 
>> Probably I wasn't clear - I want to kill existing,
>> already opened connection. 
>> Now, after reading some articles/threads, it seems
>> that only utils like tcpkill, cutter can do this...
>
>You can use conntrack utility to remove conntrack entry,

This only removes the conntrack entry of course, and
does not induce a TCP reset.

>if you also
>drop INVALID packets with iptables this will let you kill connection.

When more packets come in, the 'connection' will go NEW, not INVALID.

^ permalink raw reply	[flat|nested] 7+ messages in thread

[parent not found: <1207562913.5879.32.camel@casper.meteor.dp.ua>]

* Re: How to drop existing connections
       [not found]         ` <1207562913.5879.32.camel@casper.meteor.dp.ua>
@ 2008-04-07 11:11           ` Jan Engelhardt
  2008-04-07 11:59             ` Покотиленко Костик
  0 siblings, 1 reply; 7+ messages in thread
From: Jan Engelhardt @ 2008-04-07 11:11 UTC (permalink / raw)
  To: Покотиленко Костик
  Cc: netfilter, Vitaly, Karim Asif

On Monday 2008-04-07 12:08, Покотиленко Костик wrote:

>В Пнд, 07/04/2008 в 11:39 +0200, Jan Engelhardt пишет:
>> >
>> >You can use conntrack utility to remove conntrack entry,
>> 
>> This only removes the conntrack entry of course, and
>> does not induce a TCP reset.
>> 
>> >if you also
>> >drop INVALID packets with iptables this will let you kill connection.
>> 
>> When more packets come in, the 'connection' will go NEW, not INVALID.
>
>Maybe, I remember reading this solution somewhere.

This solution requires that you only accept NEW connections
that have SYN set. Something like

  -m conntrack --ctstate ESTABLISHED -j ACCEPT
  -p tcp --syn -m conntrack --ctstatus NEW -j ACCEPT
  -p udp -m conntrack --ctstatus NEW -j ACCEPT
  -p tcp -j REJECT --reject-with tcp-reset
  -j REJECT

yes, that is indeed a good idea to do a tcpkill on connections
using conntrack :-)

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: How to drop existing connections
  2008-04-07 11:11           ` Jan Engelhardt
@ 2008-04-07 11:59             ` Покотиленко Костик
  0 siblings, 0 replies; 7+ messages in thread
From: Покотиленко Костик @ 2008-04-07 11:59 UTC (permalink / raw)
  To: Jan Engelhardt, netfilter

В Пнд, 07/04/2008 в 13:11 +0200, Jan Engelhardt пишет:
> On Monday 2008-04-07 12:08, Покотиленко Костик wrote:
> 
> >В Пнд, 07/04/2008 в 11:39 +0200, Jan Engelhardt пишет:
> >> >
> >> >You can use conntrack utility to remove conntrack entry,
> >> 
> >> This only removes the conntrack entry of course, and
> >> does not induce a TCP reset.
> >> 
> >> >if you also
> >> >drop INVALID packets with iptables this will let you kill connection.
> >> 
> >> When more packets come in, the 'connection' will go NEW, not INVALID.
> >
> >Maybe, I remember reading this solution somewhere.
> 
> This solution requires that you only accept NEW connections
> that have SYN set. Something like
> 
>   -m conntrack --ctstate ESTABLISHED -j ACCEPT
>   -p tcp --syn -m conntrack --ctstatus NEW -j ACCEPT
>   -p udp -m conntrack --ctstatus NEW -j ACCEPT
>   -p tcp -j REJECT --reject-with tcp-reset
>   -j REJECT
> 
> yes, that is indeed a good idea to do a tcpkill on connections
> using conntrack :-)

That is it.

-- 
Покотиленко Костик <casper@meteor.dp.ua>


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2008-04-07 11:59 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-07  8:30 How to drop existing connections Vitaly
2008-04-07  8:55 ` Karim Asif
2008-04-07  9:05   ` Vitaly
2008-04-07  9:28     ` Покотиленко Костик
2008-04-07  9:39       ` Jan Engelhardt
     [not found]         ` <1207562913.5879.32.camel@casper.meteor.dp.ua>
2008-04-07 11:11           ` Jan Engelhardt
2008-04-07 11:59             ` Покотиленко Костик

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox