My apology. Inadvertantly send to the individual rather than the list. Some list managers think that this is good. I do not. Mike. -- Michael D. Berger m.d.berger@xxxxxxxx > -----Original Message----- > From: Michael D. Berger [mailto:m.d.berger@xxxxxxxx] > Sent: Sunday, January 08, 2006 5:47 PM > To: '/dev/rob0' > Subject: RE: block + kill connections > > > [...] > > On Sunday 2006-January-08 16:04, Robert Nichols wrote: > > > > iptables -I INPUT -s 1.2.3.4 -j DROP > > > > > That will prevent communication by blocking any further incoming > > > packets, but won't do anything to tear down the connection. See > > > > Actually it would drop anything with a source address of > > 1.2.3.4 which > > happens to hit the filter INPUT chain, regardless of protocol > > or state. > > Perhaps the issue is as I suggested, the packets are > hitting FORWARD, > > or simply that a blocked connection has not yet timed out of > > conntrack > > or netstat listings. > > -- > > mail to this address is discarded unless "/dev/rob0" > > or "not-spam" is in Subject: header > > > > > > I have the same problem. I DROP in the INPUT chain, but the > connection > stays up and receives more junk. > > There is no confusion with the FORWARD chain. I have > :FORWARD DROP [0:0], > and that is it. I do not forward anything. > > I like the suggestion in a previous post: > > iptables -I INPUT -s 1.2.3.4 -p tcp --tcp-flags ! FIN,RST > NONE -j REJECT > --reject-with tcp-reset > > however, I DROP from a libipq daemon, and REJECT does not > appear to be an > option. I could accomplish it if I could set the MARK from > the daemon, but > this is not possible in the version I have, although it is > possible in later > versions. > > I await admonition by those more knowledgeable than I. > > Mike. > -- > Michael D. Berger > m.d.berger@xxxxxxxx > > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
