- Drop ALL the TCP connections (ESTABLISHED,RELATED) in Ubuntu
- How to DROP connection in IPTABLES? [SOLVED]
- Different methods to DROP connection in IPTABLES
- Method-1: Drop traffic connections on Localhost
- Method-2: Drop connections on specific Port
- Method-3: Drop Packets By Source Host
- Method-4: DROP All Incoming or Outgoing Traffic
- What is NEXT?
- Summary
- Рабочий метод разрыва конкретного активного соединения из командной строки linux (drop/kill/cut/close ESTABLISHED connection)
Drop ALL the TCP connections (ESTABLISHED,RELATED) in Ubuntu
I’m facing a few hosts sending a flood of requests to my webserver (NGINX). I’m trying to block them via iptables, with ipset and a good old DROP rule. The rule is effective against NEW connections, but as soon as the kiddies can come in and set up an ESTABLISHED or RELATED connection, my DROP rule fails because my firewall also has a iptables -A INPUT -m conntrack —ctstate ESTABLISHED,RELATED -j ACCEPT rule. The relevant section of my firewall config is:
# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DROP all -- 0.0.0.0/0 0.0.0.0/0 match-set Blacklist src ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
# ipset list Blacklist | grep
The question is: how can I KILL ALL the TCP connections, even the ESTABLISHED or RELATED ones? Things I’ve tried: Stop-wait-30-secs-start the webserver ( service nginx stop && sleep 30 && service nginx start ) — it was worth a shot, but since the connection is already ESTABLISHED, it persists. conntrack —flush and conntrack -F . No effect tcpkill : as long as I keep the process running it kinda works. But as soon as I close the process, the connection come back. I can’t really explain it conntrack -D —orig-src : the connection got deleted, but then appear back immeditaly. To check the connection I use:
netstat -putan | grep '' tcp 0 0 :443 :60763 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60807 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60545 ESTABLISHED 2372190/nginx: work tcp 0 0 :443 :59785 TIME_WAIT - tcp 0 0 :443 :59730 TIME_WAIT - tcp 0 0 :443 :59841 TIME_WAIT - tcp 0 0 :443 :60578 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60941 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59390 TIME_WAIT - tcp 0 0 :443 :59849 TIME_WAIT - tcp 0 0 :443 :60744 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59766 TIME_WAIT - tcp 0 0 :443 :59819 TIME_WAIT - tcp 0 0 :443 :60679 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59603 TIME_WAIT - tcp 0 0 :443 :60134 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60907 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59732 TIME_WAIT - tcp 0 0 :443 :60128 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60437 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59623 TIME_WAIT - tcp 0 0 :443 :59356 TIME_WAIT - tcp 0 0 :443 :60502 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59414 TIME_WAIT - tcp 0 0 :443 :60592 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59370 TIME_WAIT - tcp 0 0 :443 :60861 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59783 TIME_WAIT - tcp 0 0 :443 :59858 TIME_WAIT - tcp 0 0 :443 :59769 TIME_WAIT - tcp 0 0 :443 :60817 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59393 TIME_WAIT - tcp 0 0 :443 :60479 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60450 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59401 TIME_WAIT - tcp 0 0 :443 :60838 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60123 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60854 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59445 TIME_WAIT - tcp 0 0 :443 :59419 TIME_WAIT - tcp 0 0 :443 :60111 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60934 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60510 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60832 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60922 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60447 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60171 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60536 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59344 TIME_WAIT - tcp 0 0 :443 :59394 TIME_WAIT - tcp 0 0 :443 :59369 TIME_WAIT - tcp 0 0 :443 :60601 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59754 TIME_WAIT - tcp 0 5534 :443 :60954 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60895 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60236 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60099 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :59460 TIME_WAIT - tcp 0 0 :443 :60570 ESTABLISHED 2372191/nginx: work tcp 0 0 :443 :60555 ESTABLISHED 2372191/nginx: work
# conntrack -L --orig-src tcp 6 431977 ESTABLISHED src= dst= sport=62907 dport=443 src= dst= sport=443 dport=62907 [ASSURED] mark=0 use=1 tcp 6 431989 ESTABLISHED src= dst= sport=63062 dport=443 src= dst= sport=443 dport=63062 [ASSURED] mark=0 use=1 tcp 6 431976 ESTABLISHED src= dst= sport=62882 dport=443 src= dst= sport=443 dport=62882 [ASSURED] mark=0 use=1 tcp 6 299 ESTABLISHED src= dst= sport=63215 dport=443 src= dst= sport=443 dport=63215 [ASSURED] mark=0 use=1 tcp 6 431975 ESTABLISHED src= dst= sport=62869 dport=443 src= dst= sport=443 dport=62869 [ASSURED] mark=0 use=1 tcp 6 271 ESTABLISHED src= dst= sport=62800 dport=443 [UNREPLIED] src= dst= sport=443 dport=62800 mark=0 use=1 tcp 6 299 ESTABLISHED src= dst= sport=63211 dport=443 src= dst= sport=443 dport=63211 [ASSURED] mark=0 use=1 tcp 6 431977 ESTABLISHED src= dst= sport=62902 dport=443 src= dst= sport=443 dport=62902 [ASSURED] mark=0 use=1 tcp 6 431987 ESTABLISHED src= dst= sport=63038 dport=443 src= dst= sport=443 dport=63038 [ASSURED] mark=0 use=1 tcp 6 431999 ESTABLISHED src= dst= sport=63195 dport=443 src= dst= sport=443 dport=63195 [ASSURED] mark=0 use=1 tcp 6 431976 ESTABLISHED src= dst= sport=62887 dport=443 src= dst= sport=443 dport=62887 [ASSURED] mark=0 use=1 tcp 6 431988 ESTABLISHED src= dst= sport=63050 dport=443 src= dst= sport=443 dport=63050 [ASSURED] mark=0 use=1 tcp 6 431999 ESTABLISHED src= dst= sport=63201 dport=443 src= dst= sport=443 dport=63201 [ASSURED] mark=0 use=1 tcp 6 431998 ESTABLISHED src= dst= sport=63181 dport=443 src= dst= sport=443 dport=63181 [ASSURED] mark=0 use=1 conntrack v1.4.5 (conntrack-tools): 14 flow entries have been shown
How to DROP connection in IPTABLES? [SOLVED]
iptables is a GPL licensed utility that allows the Linux kernel firewall to configure IP packet filter rules. Filters are organized in different tables that contain chains of rules for how packets of network traffic should be handled.
Each rule contains what to do with that package (ACCEPT, REJECT etc) when it matches the package rule of a package. When a packet is matched, it is given a TARGET. When a new rule is added you can define the target as follows:
- ACCEPT: Passing of packets is allowed.
- REJECT: Access denied packets.
- DROP: Passing of packets is not allowed.
- RETURN: Sent to the end of the chain.
- QUEUE: Packets are sent to the user area.
Different methods to DROP connection in IPTABLES
Packages arriving on your system may need to be dropped. This is sometimes a security reason. In this article we will tell you how to DROP iptables packages.
Elevated privileges (sudo/wheel) are required for iptables to work and must be executed by root user, otherwise it will not work.
Method-1: Drop traffic connections on Localhost
When traffic goes from your machine to your machine, it always has a «lo» input interface. Source or destination IP address does not matter. The iptables rule should be written like this:
sudo iptables -I INPUT ! -i lo -p tcp --dport -j DROP
You should write the port you want to drop in the part. For example, to drop input connections with port 80:
foc@ubuntu22:~$ sudo iptables -I INPUT ! -i lo -p tcp --dport 80 -j DROP
To drop output connections with port 80:
foc@ubuntu22:~$ sudo iptables -I OUTPUT ! -i lo -p tcp --dport 80 -j DROP
The rule added with the -L parameter is displayed:
foc@ubuntu22:~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere tcp dpt:http .
Method-2: Drop connections on specific Port
In the above step, we added a drop rule to localhost. Now, to add a drop rule to a specific port, it should be written as follows:
sudo iptables -I INPUT -p tcp --dport -s 127.0.0.1 -j DROP
For example, to drop connections from 192.168.122.3 source ip address to port 443:
foc@ubuntu22:~$ sudo iptables -I INPUT -p tcp --dport 443 -s 192.168.122.3 -j DROP
The added rule looks like this:
foc@ubuntu22:~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 192.168.122.3 anywhere tcp dpt:https .
Method-3: Drop Packets By Source Host
To drop connections from a specific source without specifying any ports:
sudo iptables -A INPUT -s 192.168.42.1 -j DROP
The added rule looks like this:
foc@ubuntu22:~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 192.168.42.1 anywhere .
If you want to specify an IP range to reject incoming packets, you can use the Iprange module by specifying the -m option and the IP range with -src-range:
sudo iptables -A INPUT -m iprange --src-range 192.168.42.100-192.168.42.200 -j DROP
Let’s look at the rule with the -L parameter:
foc@ubuntu22:~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere source IP range 192.168.42.100-192.168.42.200 .
Method-4: DROP All Incoming or Outgoing Traffic
Sometimes it may be necessary to disconnect all connections for a specific reason.
sudo iptables -A INPUT -j DROP
But after this command all your connections, including ssh, will be disconnected. Make sure you’re next to the server or that we have access!
To drop all output connections:
sudo iptables -A OUTPUT -j DROP
What is NEXT?
Summary
The firewall of an operating system is important. Incoming and outgoing connections to the system pass/return through this firewall wall. Care should be taken when adding a rule and deleting it. We recommend testing the rules on your test system before adding them.
For more detailed information about IPTABLES, you can get help on the manual page.
Рабочий метод разрыва конкретного активного соединения из командной строки linux (drop/kill/cut/close ESTABLISHED connection)
Иногда бывает необходимо принудительно разорвать активное соединение. Самый распространенный способ:
Проблема в том, что один воркер может одновременно обслуживать несколько соединений, поэтому правильнее будет убить соединение а не воркер. Для этого на многих форумах рекомендуют использовать tcpkilll, cutter или awk+hping3. Однако, хоть эти утилиты и находятся в официальных репозиториях, мне не удалось заставить их разрывать соединения.
После продолжительных поисков был обнаружен perl скрипт killcx, разрывающий соединение по удаленному хосту и порту.
killcx 94.133.119.242:4403
[PARENT] checking connection with [94.133.119.242:4403]
[PARENT] found connection with [78.220.184.126:80] (ESTABLISHED)
[PARENT] forking child
[CHILD] interface not defined, will use [eth0]
[CHILD] setting up filter to sniff ACK on [eth0] for 5 seconds
[CHILD] hooked ACK from [77.220.184.126:80]
[CHILD] found AckNum [3091573605] and SeqNum [3105164779]
[CHILD] sending spoofed RST to [78.220.184.126:80] with SeqNum [3091573605]
[CHILD] sending RST to remote host as well with SeqNum [3105164779]
[CHILD] all done, sending USR1 signal to parent [13723] and exiting
[PARENT] received child signal, checking results.
=> success : connection has been closed !
Для его работы требуется целый набор библиотек.
apt-get install \
libpcap0.8 \
libpcap-dev \
libnet-pcap-perl \
libyaml-perl \
libyaml-dev \
libyaml-0-1 \
-y
cpan -i \
Net::RawIP \
NetPacket::Ethernet