Hello, Alessandro Vesely a écrit : > On 11/Jan/11 15:41, Jan Engelhardt wrote: >> On Tuesday 2011-01-11 13:35, Alessandro Vesely wrote: >> >>> In particular, if it is possible/convenient to design an RST injector >>> and how to attach it to iptables? >> >> If you use a ruleset that emits RST for NEW connections that are picked >> up rather than SYN-new, >> >> -m conntrack --ctstate NEW -p tcp ! --syn --dport 22 -j REJECT >> --reject-with tcp-reset >> >> .. makes it possible to RST-kill connections using `conntrack -D`. > > That's the most elegant method I've seen thus far. Thanks a lot! However this sends only one RST to one side of the connection, leaving the connection half-open - until the other side sends a packet and gets a RST too. IMO it would be more elegant to send RSTs to boths sides of the connection. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
