Forcibly dropping forwarded connections?

Hello,

I'm looking for a tool to manage the connections forwarded by a netfilter-
based firewall. This is something that'd be useful as a debugging tool,
to find out how systems behave in case of lost network connectivity.

I can see netfilter firewall showing the currently known sessions in
/proc/net/ip_conntrack, but this appears to be a read-only view.
What I'm looking for is essentally a way to clear single connections
shown in this ip_conntrack view - regardless of the state of that
connection.

I've seen a connection cutter tool, which acts actively by sending TCP
RST packets to connection endpoints, but the difference in what I'm
looking for is somethign that just discards the session at the firewall,
without notifying the connection endpoints.

Any ideas/recommendations?
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Hello,

Juha Laiho a écrit :
>
> I'm looking for a tool to manage the connections forwarded by a netfilter-
> based firewall. This is something that'd be useful as a debugging tool,
> to find out how systems behave in case of lost network connectivity.
>
> I can see netfilter firewall showing the currently known sessions in
> /proc/net/ip_conntrack, but this appears to be a read-only view.
> What I'm looking for is essentally a way to clear single connections
> shown in this ip_conntrack view - regardless of the state of that
> connection.

Conntrack-tools
<http://www.netfilter.org/projects/conntrack-tools/index.html>

However note that deleting a connection entry from the conntrack table
does not necessarily cut the connection. The effect on the actual
connection flow depends on how the iptables ruleset uses the connection
tracking and on some conntrack-related sysctls settings.

(E-Mail Removed) said:
>Juha Laiho a écrit :
>>
>> I'm looking for a tool to manage the connections forwarded by a netfilter-
>> based firewall. This is something that'd be useful as a debugging tool,
>> to find out how systems behave in case of lost network connectivity.
>>
>> I can see netfilter firewall showing the currently known sessions in
>> /proc/net/ip_conntrack, but this appears to be a read-only view.
>> What I'm looking for is essentally a way to clear single connections
>> shown in this ip_conntrack view - regardless of the state of that
>> connection.
>
>Conntrack-tools
><http://www.netfilter.org/projects/conntrack-tools/index.html>

Thanks; excellent, this was exactly what I was looking for!

>However note that deleting a connection entry from the conntrack table
>does not necessarily cut the connection. The effect on the actual
>connection flow depends on how the iptables ruleset uses the connection
>tracking and on some conntrack-related sysctls settings.

Yep, that's good to remember.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)