FW: block + kill connections
Michael D. Berger
m.d.berger at ieee.org
Sun Jan 8 22:58:35 UTC 2006
My apology. Inadvertantly send to the individual rather than the list.
Some list managers think that this is good. I do not.
Mike.
--
Michael D. Berger
m.d.berger at ieee.org
> -----Original Message-----
> From: Michael D. Berger [mailto:m.d.berger at ieee.org]
> Sent: Sunday, January 08, 2006 5:47 PM
> To: '/dev/rob0'
> Subject: RE: block + kill connections
>
>
> [...]
> > On Sunday 2006-January-08 16:04, Robert Nichols wrote:
> > > > iptables -I INPUT -s 1.2.3.4 -j DROP
> >
> > > That will prevent communication by blocking any further incoming
> > > packets, but won't do anything to tear down the connection. See
> >
> > Actually it would drop anything with a source address of
> > 1.2.3.4 which
> > happens to hit the filter INPUT chain, regardless of protocol
> > or state.
> > Perhaps the issue is as I suggested, the packets are
> hitting FORWARD,
> > or simply that a blocked connection has not yet timed out of
> > conntrack
> > or netstat listings.
> > --
> > mail to this address is discarded unless "/dev/rob0"
> > or "not-spam" is in Subject: header
> >
> >
>
> I have the same problem. I DROP in the INPUT chain, but the
> connection
> stays up and receives more junk.
>
> There is no confusion with the FORWARD chain. I have
> :FORWARD DROP [0:0],
> and that is it. I do not forward anything.
>
> I like the suggestion in a previous post:
>
> iptables -I INPUT -s 1.2.3.4 -p tcp --tcp-flags ! FIN,RST
> NONE -j REJECT
> --reject-with tcp-reset
>
> however, I DROP from a libipq daemon, and REJECT does not
> appear to be an
> option. I could accomplish it if I could set the MARK from
> the daemon, but
> this is not possible in the version I have, although it is
> possible in later
> versions.
>
> I await admonition by those more knowledgeable than I.
>
> Mike.
> --
> Michael D. Berger
> m.d.berger at ieee.org
>
>
More information about the redhat-list
mailing list