block + kill connections
rnicholsNOSPAM at comcast.net
Mon Jan 9 03:47:16 CET 2006
> On Sunday 2006-January-08 16:18, I wrote:
>>On Sunday 2006-January-08 16:04, Robert Nichols wrote:
>>>>iptables -I INPUT -s 184.108.40.206 -j DROP
>>>That will prevent communication by blocking any further incoming
>>>packets, but won't do anything to tear down the connection. See
> Yes, you're right, sorry. I read too quickly. You're saying this:
>>... or simply that a blocked connection has not yet
>>timed out of conntrack or netstat listings.
> ... and you're right, the REJECT will tell the other end that the
> connection is terminated. But I doubt that the local side will show
> anything different in conntrack or netstat, unless a corresponding
> REJECT rule was used in OUTPUT.
What typically happens is that as soon as the local side transmits
any packet on the half-closed connection, the far end responds with
its own TCP RESET, and the "--tcp-flags ! FIN,RST NONE" matcher in
my suggested rule allows any packet with a RST or FIN flag to get
Bob Nichols Yes, "NOSPAM" is really part of my email address.
More information about the netfilter