LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-27-2007, 02:54 PM   #1
SlowCoder
Senior Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Debian based
Posts: 1,250

Rep: Reputation: 164Reputation: 164
How to disconnect established connection in IPTables


I am using an IPTables firewall, configured for packet forwarding to a number of servers inside my network.

Iptstate shows a number of connections from a specific IP, all of which have a TTL of more than 120 hours.

1. How can I disconnect the established connections immediately? I have added a drop rule to my firewall for future connections from that IP, but it doesn't disconnect what's already connected.
2. When connecting to a webserver, is it normal to have a 120 hour TTL? Where would that be configured? On the web server, firewall, or the client?

Last edited by SlowCoder; 06-27-2007 at 03:00 PM.
 
Old 06-28-2007, 05:52 AM   #2
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Have you tried restarting the firewall? There should be instructions to flush all existing rules and implement the new ones.
 
Old 06-28-2007, 08:23 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SlowCoder
1. How can I disconnect the established connections immediately? I have added a drop rule to my firewall for future connections from that IP, but it doesn't disconnect what's already connected.
Inserting the DROP rule at the *top* of the chain, like:
Code:
iptables -I FORWARD -s 123.123.123.123 -j DROP
will filter any packets from the IP, regardless of whether they are of state ESTABLISHED or not. It's normal for the connection to still appear as ESTABLISHED in the state table after you execute a rule such as above - even though no packets from the IP are getting routed. If you don't want to wait for the state table entry to timeout on it's own, you can use a tool such as conntrackd to remove it.

Quote:
2. When connecting to a webserver, is it normal to have a 120 hour TTL? Where would that be configured? On the web server, firewall, or the client?
120 hours is normal, AFAICT:
Code:
win32sux@candystore:~# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established 
432000
The value is given in seconds.

Last edited by win32sux; 06-28-2007 at 09:20 AM.
 
Old 06-28-2007, 02:18 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Interesting find that conntrackd! There's also tools like cutter and tcpkill that can help kill TCP sessions.
 
Old 06-28-2007, 02:38 PM   #5
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Out of curiosity, what would null routing the destination do? Is it taken into account quickly by the kernel?

Something like

Code:
route add -host 123.123.123.123 gw 127.0.0.1
I guess it doesn't work?
 
Old 06-28-2007, 09:10 PM   #6
SlowCoder
Senior Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Debian based
Posts: 1,250

Original Poster
Rep: Reputation: 164Reputation: 164
Quote:
Originally Posted by TigerOC
Have you tried restarting the firewall? There should be instructions to flush all existing rules and implement the new ones.
Restarting should be a last resort. I do not want to disconnect valid traffic, just the interesting IPs.

From what I'm reading, is it true that iptstate does not necessarily show the true connections at the given moment?
 
Old 06-29-2007, 12:50 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SlowCoder
Restarting should be a last resort. I do not want to disconnect valid traffic, just the interesting IPs.
Restarting the firewall (by this I mean "activating a new iptables configuration") won't disconnect the traffic. The state table entries will still be there when the new firewall config activates, and packets will be able to match the RELATED,ESTABLISHED rule just as before the rules were flushed (as long as the entries haven't timed-out for you or for your peers).

Quote:
From what I'm reading, is it true that iptstate does not necessarily show the true connections at the given moment?
Well, it does what it is meant to do, that is, it shows you the entries in the state table. Whether packets are being actually transfered to and from the IP is a separate issue. For that you'd use something like iptraf.

Last edited by win32sux; 06-29-2007 at 12:53 AM.
 
Old 07-02-2007, 08:36 AM   #8
SlowCoder
Senior Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Debian based
Posts: 1,250

Original Poster
Rep: Reputation: 164Reputation: 164
Quote:
Originally Posted by win32sux
Well, it does what it is meant to do, that is, it shows you the entries in the state table. Whether packets are being actually transfered to and from the IP is a separate issue. For that you'd use something like iptraf.
This raises a couple more questions.

1. WHY does the state remain established, even when the client machine has long before disconnected? What is this purpose?
2. WHY for 120 hours?
 
Old 07-02-2007, 10:23 AM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SlowCoder
WHY does the state remain established, even when the client machine has long before disconnected? What is this purpose?
Because technically the client didn't disconnect (no TCP connection termination occured), you just inserted a rule to filter all packets from him. Imagine you only wanted to filter packets from the client for 30 seconds, so you execute a DROP rule for the client's IP. 30 seconds later you delete the rule. If the ESTABLISHED state wouldn't still be in the state table, then the client would need to start a new connection.

Quote:
WHY for 120 hours?
Not sure why the kernel developers chose 5 days as a timeout value for this. My guess is there might be some sort of anti-DoS considerations but I'm not sure. Maybe someone else can shed some light on this. In any case, even though the 5 days timeout is configured in the kernel source, you can easily change the value on your running box by echoing to /proc or (I would assume) using sysctl. Depending on how much traffic you have you might even get a visible decrease in memory usage.

Last edited by win32sux; 07-02-2007 at 10:30 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables: want to accept ESTABLISHED/RELATED packets... KneeLess Linux - Networking 2 01-20-2006 12:17 AM
Disconnect An Established Connection metallica1973 Linux - Security 11 08-31-2005 10:15 PM
Time out in Connection established state if no Data flows on that connection asurya Linux - Networking 2 04-10-2005 04:54 PM
iptables: block ports and RELATED, ESTABLISHED Klaus Pforte Linux - Security 6 07-17-2003 11:00 AM
problems with established connection nbc Linux - Newbie 1 08-16-2001 02:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration