Now thw wrong list. Damm! Mike -- Michael D. Berger m.d.berger@xxxxxxxx > -----Original Message----- > From: Michael D. Berger [mailto:m.d.berger@xxxxxxxx] > Sent: Sunday, January 08, 2006 5:59 PM > To: Redhat-List > Subject: FW: block + kill connections > > > My apology. Inadvertantly send to the individual rather than > the list. > Some list managers think that this is good. I do not. > Mike. > -- > Michael D. Berger > m.d.berger@xxxxxxxx > > > -----Original Message----- > > From: Michael D. Berger [mailto:m.d.berger@xxxxxxxx] > > Sent: Sunday, January 08, 2006 5:47 PM > > To: '/dev/rob0' > > Subject: RE: block + kill connections > > > > > > [...] > > > On Sunday 2006-January-08 16:04, Robert Nichols wrote: > > > > > iptables -I INPUT -s 1.2.3.4 -j DROP > > > > > > > That will prevent communication by blocking any further incoming > > > > packets, but won't do anything to tear down the connection. See > > > > > > Actually it would drop anything with a source address of > > > 1.2.3.4 which > > > happens to hit the filter INPUT chain, regardless of protocol > > > or state. > > > Perhaps the issue is as I suggested, the packets are > > hitting FORWARD, > > > or simply that a blocked connection has not yet timed out of > > > conntrack > > > or netstat listings. > > > -- > > > mail to this address is discarded unless "/dev/rob0" > > > or "not-spam" is in Subject: header > > > > > > > > > > I have the same problem. I DROP in the INPUT chain, but the > > connection > > stays up and receives more junk. > > > > There is no confusion with the FORWARD chain. I have > > :FORWARD DROP [0:0], > > and that is it. I do not forward anything. > > > > I like the suggestion in a previous post: > > > > iptables -I INPUT -s 1.2.3.4 -p tcp --tcp-flags ! FIN,RST > > NONE -j REJECT > > --reject-with tcp-reset > > > > however, I DROP from a libipq daemon, and REJECT does not > > appear to be an > > option. I could accomplish it if I could set the MARK from > > the daemon, but > > this is not possible in the version I have, although it is > > possible in later > > versions. > > > > I await admonition by those more knowledgeable than I. > > > > Mike. > > -- > > Michael D. Berger > > m.d.berger@xxxxxxxx > > > > >
