Drop established connections

Security Firewall Rules
1

I’m looking for a solution on how to drop an established connection.

EstablishedConnection
EstablishedConnection925×180 8.47 KB

The screen shot show’s that is furthermore possible to use the (example) telnet session, if the firewall rule has been defined afterwards.

So, currently I see a fire (established connection) but I cannot extinguish (drop/kill) it.

A tool like tcpkill would help. Or the possibility to tell a firewall rule to prevent the traffic of an established connection as well.

2

Hi Topozero,
and welcome here :slightly_smiling_face: .

tcpkill is part of the dsniff package which have had seen the last work on it at 2010 and FTBFS on IPFire too. Debian have a patchset of 30 + patches for dsniff which makes it even harder to give it a try to build.

Two possible solutions for your question with on board tools.

  1. Via lsof with port definition and the kill command. Example for port 80 can looks like this

kill -9 $( lsof -i:80 -t )

  1. The ss command provides also an --kill option (-K) which attempts to forcible close sockets. Which should also work since it needs and enabled ‘CONFIG_INET_DIAG_DESTROY’ in the kernel → git.ipfire.org Git - ipfire-2.x.git/search .

Example:

ss -K dst 192.168.1.214 dport = 49029

Some ideas from here.

Best,

Erik

3

You can use conntrack to remove the existing connection from the connection tracking.

4

Unfortunately neither ss nor lsof nor netstat shows me the connections I can see in the GUI (iptables connection tracking) …

ss -s -t just shows me the established connections to the device itself ssh (:222) and https (:444).

5

That is indeed the solution!

conntrack -D -d 1.2.3.4 dropped the connection :slight_smile:

Thank you very much!

1 Like