block + kill connections
Robert Nichols
rnicholsNOSPAM at comcast.net
Mon Jan 9 03:47:16 CET 2006
/dev/rob0 wrote:
> On Sunday 2006-January-08 16:18, I wrote:
>
>>On Sunday 2006-January-08 16:04, Robert Nichols wrote:
>>
>>>>iptables -I INPUT -s 1.2.3.4 -j DROP
>>>
>>>That will prevent communication by blocking any further incoming
>>>packets, but won't do anything to tear down the connection. See
>
>
> Yes, you're right, sorry. I read too quickly. You're saying this:
>
>
>>... or simply that a blocked connection has not yet
>>timed out of conntrack or netstat listings.
>
>
> ... and you're right, the REJECT will tell the other end that the
> connection is terminated. But I doubt that the local side will show
> anything different in conntrack or netstat, unless a corresponding
> REJECT rule was used in OUTPUT.
What typically happens is that as soon as the local side transmits
any packet on the half-closed connection, the far end responds with
its own TCP RESET, and the "--tcp-flags ! FIN,RST NONE" matcher in
my suggested rule allows any packet with a RST or FIN flag to get
through.
--
Bob Nichols Yes, "NOSPAM" is really part of my email address.
More information about the netfilter
mailing list