В Пнд, 07/04/2008 в 13:11 +0200, Jan Engelhardt пишет: > On Monday 2008-04-07 12:08, Покотиленко Костик wrote: > > >В Пнд, 07/04/2008 в 11:39 +0200, Jan Engelhardt пишет: > >> > > >> >You can use conntrack utility to remove conntrack entry, > >> > >> This only removes the conntrack entry of course, and > >> does not induce a TCP reset. > >> > >> >if you also > >> >drop INVALID packets with iptables this will let you kill connection. > >> > >> When more packets come in, the 'connection' will go NEW, not INVALID. > > > >Maybe, I remember reading this solution somewhere. > > This solution requires that you only accept NEW connections > that have SYN set. Something like > > -m conntrack --ctstate ESTABLISHED -j ACCEPT > -p tcp --syn -m conntrack --ctstatus NEW -j ACCEPT > -p udp -m conntrack --ctstatus NEW -j ACCEPT > -p tcp -j REJECT --reject-with tcp-reset > -j REJECT > > yes, that is indeed a good idea to do a tcpkill on connections > using conntrack :-) That is it. -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
