On 11/Jan/11 15:41, Jan Engelhardt wrote: > On Tuesday 2011-01-11 13:35, Alessandro Vesely wrote: > >>Hi all, >>this is clearly an overworked topic. However, I haven't been able to >>find definitive info about it. Please help providing more insight. >>In particular, if it is possible/convenient to design an RST injector >>and how to attach it to iptables? > > If you use a ruleset that emits RST for NEW connections that are picked > up rather than SYN-new, > > -m conntrack --ctstate NEW -p tcp ! --syn --dport 22 -j REJECT > --reject-with tcp-reset > > .. makes it possible to RST-kill connections using `conntrack -D`. That's the most elegant method I've seen thus far. Thanks a lot! A generic rule like that (i.e. without --dport) is mentioned in the tutorial http://www.iptables.info/en/iptables-problems.html#NEWNOTSYN but I never realized it can be used this way. (I CC this there.) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
