On Monday 2008-04-07 12:08, Покотиленко Костик wrote: >В Пнд, 07/04/2008 в 11:39 +0200, Jan Engelhardt пишет: >> > >> >You can use conntrack utility to remove conntrack entry, >> >> This only removes the conntrack entry of course, and >> does not induce a TCP reset. >> >> >if you also >> >drop INVALID packets with iptables this will let you kill connection. >> >> When more packets come in, the 'connection' will go NEW, not INVALID. > >Maybe, I remember reading this solution somewhere. This solution requires that you only accept NEW connections that have SYN set. Something like -m conntrack --ctstate ESTABLISHED -j ACCEPT -p tcp --syn -m conntrack --ctstatus NEW -j ACCEPT -p udp -m conntrack --ctstatus NEW -j ACCEPT -p tcp -j REJECT --reject-with tcp-reset -j REJECT yes, that is indeed a good idea to do a tcpkill on connections using conntrack :-) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
