LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-09-2008, 11:45 PM   #1
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
break established/related internet NAT connection?


Hi, I have a specific problem, but it has brought up a more general question. I have a Debian box that I use as a router/NAT firewall for my LAN among other things. I use firestarter as the firewall package. I have written a script so that when I tell my son "it's time to get off of Runescape" (he's a junkie), I can push a button on a remote and a script runs on the firewall box. It includes that LAN PC in the "deny outbound connections from host" section, and restarts firestarter, which ends up adding an iptables rule that excludes future connections from the box. However, the Runescape internet connection, because it is already an established / related connection, does not get bumped off; only new connections are prevented. Is there a simple way to break existing connections from that box? I don't want to kill existing connections from any other LAN host.
Thanks...
 
Old 01-10-2008, 01:36 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Welcome to LQ!!!

You could have your script insert a FORWARD rule sending all his packets to REJECT. Like:
Code:
iptables -I FORWARD -s 192.168.1.101 -j REJECT
They will all go to REJECT regardless of whether they are in an ESTABLISHED or RELATED state.

Alternatively, you could have your script issue a cutter command. Like:
Code:
cutter 192.168.1.101

Last edited by win32sux; 01-10-2008 at 01:40 AM.
 
Old 01-10-2008, 11:40 AM   #3
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Original Poster
Rep: Reputation: 17
Smile

Thanks
I think I like "cutter" better. I'll study the docs to get familiar with it. If you think it would be good to clarify for the sake of the thread:

- the FORWARD rule must be inserted in front of any --state ESTABLISHED,RELATED rule in the table, correct?

- cutter will allow this existing connection to be broken without changing how iptables deals with future connections, correct?

Thanks again for your help.
 
Old 01-10-2008, 12:20 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by jeff_k View Post
- the FORWARD rule must be inserted in front of any --state ESTABLISHED,RELATED rule in the table, correct?
Correct. By using a "-I" it automatically becomes the first rule in the chain.

Quote:
- cutter will allow this existing connection to be broken without changing how iptables deals with future connections, correct?
Correct. So you would be doing this additionally to whatever you are doing now to stop new connections from being opened. Cutter would only knock-out any ongoing connections - iptables would prevent any new ones from getting started.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Wired Internet Connection Cannot be Established on Debian Etch Linkhiei Linux - Networking 3 10-07-2007 04:15 AM
How do I 'break' an unwanted Internet connection? rickh Linux - Security 5 12-30-2005 01:07 AM
How to use ESTABLISHED,RELATED best? Pastorino Linux - Security 2 08-30-2005 06:21 PM
suse 9.1 - cannot established internet dialup connection? r_4593 Linux - Software 1 07-19-2004 06:23 AM
How to detect that a dial-up Internet connection was established? zeppelin Programming 3 09-28-2003 06:11 AM


All times are GMT -5. The time now is 12:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration