RE: Netfilter connection management

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: Netfilter connection management
Well I'm certainly no smatter than Jeff, but I will offer you an answer based on what I would do if I were to attempt what you are trying to do.  First of all, and someone will surely correct me if I'm wrong here, I don not beleive IPTables offers any built-in means to manipulate the connection tables from user space.  However, there is a very nice free tool (perl script) out there called Conntrack Viewer (get it here http://cv.intellos.net/) which reads and formats netfilter connection tables.  You could simply write an additional perl script which continually calls, refreshes, and parses the output of Conntrack Viewer, looking for the desired connection states.  When one is found, because perl can do so well what perl does, cutter then could be called to deal with this connection.  I know this isn't exactly what you are looking for, but it should get the job done.

From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of mpdykeman@xxxxxxxxxx
Sent: Monday, November 24, 2003 10:26 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Netfilter connection management

Hello,

I posted a more verbose message and did not get any replies earlier. So please forgive me if I am appearing a bit clueless.

Is there anyway using Iptables or some other command-line tool to manage the Netfilter connection hash tables? More specifically, I would like to be able remove ASSURED connections as a component of a method to cut off existing connections that are suspect of virus activity. I really don’t want to use a tool like cutter to send RST's…It just seems that it would be much cleaner to directly manipulate the hash.

Also, I have been noticing some occasional problems with ASSURED entries possibly disappearing from the Netfilter connection hash (causing a rule which checks for packets without SYN and not ESTABLISHED to start dropping packets which kills legitimate connections) and I'm trying to find a way to log or somehow determine what caused the entry to be removed….I'm not sure logging RST's or FIN's will locate all reasons for a table entry drop.

Any assistance or helpful direction someone could provide me would be appreciated.

Thanx.

-- Markley Dykeman


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux