Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-27-2007, 02:54 PM
|
#1
|
Senior Member
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Debian based
Posts: 1,250
Rep:
|
How to disconnect established connection in IPTables
I am using an IPTables firewall, configured for packet forwarding to a number of servers inside my network.
Iptstate shows a number of connections from a specific IP, all of which have a TTL of more than 120 hours.
1. How can I disconnect the established connections immediately? I have added a drop rule to my firewall for future connections from that IP, but it doesn't disconnect what's already connected.
2. When connecting to a webserver, is it normal to have a 120 hour TTL? Where would that be configured? On the web server, firewall, or the client?
Last edited by SlowCoder; 06-27-2007 at 03:00 PM.
|
|
|
06-28-2007, 05:52 AM
|
#2
|
Senior Member
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380
Rep:
|
Have you tried restarting the firewall? There should be instructions to flush all existing rules and implement the new ones.
|
|
|
06-28-2007, 08:23 AM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by SlowCoder
1. How can I disconnect the established connections immediately? I have added a drop rule to my firewall for future connections from that IP, but it doesn't disconnect what's already connected.
|
Inserting the DROP rule at the *top* of the chain, like:
Code:
iptables -I FORWARD -s 123.123.123.123 -j DROP
will filter any packets from the IP, regardless of whether they are of state ESTABLISHED or not. It's normal for the connection to still appear as ESTABLISHED in the state table after you execute a rule such as above - even though no packets from the IP are getting routed. If you don't want to wait for the state table entry to timeout on it's own, you can use a tool such as conntrackd to remove it.
Quote:
2. When connecting to a webserver, is it normal to have a 120 hour TTL? Where would that be configured? On the web server, firewall, or the client?
|
120 hours is normal, AFAICT:
Code:
win32sux@candystore:~# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
432000
The value is given in seconds.
Last edited by win32sux; 06-28-2007 at 09:20 AM.
|
|
|
06-28-2007, 02:18 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
Interesting find that conntrackd! There's also tools like cutter and tcpkill that can help kill TCP sessions.
|
|
|
06-28-2007, 02:38 PM
|
#5
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Out of curiosity, what would null routing the destination do? Is it taken into account quickly by the kernel?
Something like
Code:
route add -host 123.123.123.123 gw 127.0.0.1
I guess it doesn't work?
|
|
|
06-28-2007, 09:10 PM
|
#6
|
Senior Member
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Debian based
Posts: 1,250
Original Poster
Rep:
|
Quote:
Originally Posted by TigerOC
Have you tried restarting the firewall? There should be instructions to flush all existing rules and implement the new ones.
|
Restarting should be a last resort. I do not want to disconnect valid traffic, just the interesting IPs.
From what I'm reading, is it true that iptstate does not necessarily show the true connections at the given moment?
|
|
|
06-29-2007, 12:50 AM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by SlowCoder
Restarting should be a last resort. I do not want to disconnect valid traffic, just the interesting IPs.
|
Restarting the firewall (by this I mean "activating a new iptables configuration") won't disconnect the traffic. The state table entries will still be there when the new firewall config activates, and packets will be able to match the RELATED,ESTABLISHED rule just as before the rules were flushed (as long as the entries haven't timed-out for you or for your peers).
Quote:
From what I'm reading, is it true that iptstate does not necessarily show the true connections at the given moment?
|
Well, it does what it is meant to do, that is, it shows you the entries in the state table. Whether packets are being actually transfered to and from the IP is a separate issue. For that you'd use something like iptraf.
Last edited by win32sux; 06-29-2007 at 12:53 AM.
|
|
|
07-02-2007, 08:36 AM
|
#8
|
Senior Member
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Debian based
Posts: 1,250
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
Well, it does what it is meant to do, that is, it shows you the entries in the state table. Whether packets are being actually transfered to and from the IP is a separate issue. For that you'd use something like iptraf.
|
This raises a couple more questions.
1. WHY does the state remain established, even when the client machine has long before disconnected? What is this purpose?
2. WHY for 120 hours?
|
|
|
07-02-2007, 10:23 AM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by SlowCoder
WHY does the state remain established, even when the client machine has long before disconnected? What is this purpose?
|
Because technically the client didn't disconnect (no TCP connection termination occured), you just inserted a rule to filter all packets from him. Imagine you only wanted to filter packets from the client for 30 seconds, so you execute a DROP rule for the client's IP. 30 seconds later you delete the rule. If the ESTABLISHED state wouldn't still be in the state table, then the client would need to start a new connection.
Not sure why the kernel developers chose 5 days as a timeout value for this. My guess is there might be some sort of anti-DoS considerations but I'm not sure. Maybe someone else can shed some light on this. In any case, even though the 5 days timeout is configured in the kernel source, you can easily change the value on your running box by echoing to /proc or (I would assume) using sysctl. Depending on how much traffic you have you might even get a visible decrease in memory usage.
Last edited by win32sux; 07-02-2007 at 10:30 AM.
|
|
|
All times are GMT -5. The time now is 09:51 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|