How to disconnect established connection in IPTables
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to disconnect established connection in IPTables
I am using an IPTables firewall, configured for packet forwarding to a number of servers inside my network.
Iptstate shows a number of connections from a specific IP, all of which have a TTL of more than 120 hours.
1. How can I disconnect the established connections immediately? I have added a drop rule to my firewall for future connections from that IP, but it doesn't disconnect what's already connected.
2. When connecting to a webserver, is it normal to have a 120 hour TTL? Where would that be configured? On the web server, firewall, or the client?
1. How can I disconnect the established connections immediately? I have added a drop rule to my firewall for future connections from that IP, but it doesn't disconnect what's already connected.
Inserting the DROP rule at the *top* of the chain, like:
Code:
iptables -I FORWARD -s 123.123.123.123 -j DROP
will filter any packets from the IP, regardless of whether they are of state ESTABLISHED or not. It's normal for the connection to still appear as ESTABLISHED in the state table after you execute a rule such as above - even though no packets from the IP are getting routed. If you don't want to wait for the state table entry to timeout on it's own, you can use a tool such as conntrackd to remove it.
Quote:
2. When connecting to a webserver, is it normal to have a 120 hour TTL? Where would that be configured? On the web server, firewall, or the client?
Restarting should be a last resort. I do not want to disconnect valid traffic, just the interesting IPs.
Restarting the firewall (by this I mean "activating a new iptables configuration") won't disconnect the traffic. The state table entries will still be there when the new firewall config activates, and packets will be able to match the RELATED,ESTABLISHED rule just as before the rules were flushed (as long as the entries haven't timed-out for you or for your peers).
Quote:
From what I'm reading, is it true that iptstate does not necessarily show the true connections at the given moment?
Well, it does what it is meant to do, that is, it shows you the entries in the state table. Whether packets are being actually transfered to and from the IP is a separate issue. For that you'd use something like iptraf.
Well, it does what it is meant to do, that is, it shows you the entries in the state table. Whether packets are being actually transfered to and from the IP is a separate issue. For that you'd use something like iptraf.
This raises a couple more questions.
1. WHY does the state remain established, even when the client machine has long before disconnected? What is this purpose?
2. WHY for 120 hours?
WHY does the state remain established, even when the client machine has long before disconnected? What is this purpose?
Because technically the client didn't disconnect (no TCP connection termination occured), you just inserted a rule to filter all packets from him. Imagine you only wanted to filter packets from the client for 30 seconds, so you execute a DROP rule for the client's IP. 30 seconds later you delete the rule. If the ESTABLISHED state wouldn't still be in the state table, then the client would need to start a new connection.
Quote:
WHY for 120 hours?
Not sure why the kernel developers chose 5 days as a timeout value for this. My guess is there might be some sort of anti-DoS considerations but I'm not sure. Maybe someone else can shed some light on this. In any case, even though the 5 days timeout is configured in the kernel source, you can easily change the value on your running box by echoing to /proc or (I would assume) using sysctl. Depending on how much traffic you have you might even get a visible decrease in memory usage.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.