Re: ip_conntrack
Bjoern Schmidt wrote:
It is possible to clear all ore one entries in /proc/net/ip_conntrack
without a reboot? I know there is a timeout, but i would like to remove
them immediately if needed.
there is an hack....
from:
http://lists.netfilter.org/pipermail/netfilter/2003-June/045080.html
send a fake ip packet (with RST set) to
firewall , to let it think the connection terminate .
By this methode , I have the following script written , it work
well for me.
To use this script , you must have hping2 installed , it can be
download from http://www.hping.org
--------- clr_conns start ------------------
echo
echo "############################"
echo "# Edit by Youngh 2003.06.24 v1.1 "
echo "# Usage : clr_conns IpAddress"
echo "# This will clear all connections from this IP_Address"
echo "# Example:/root/clr_conns 10.0.3.3 "
echo "############################"
echo
if [ -z $1 ] ; then
exit
fi
grep -E "^tcp .{10,25}ESTABLISHED src=$1 " /proc/net/ip_conntrack | while read
line ; do
S_IP=`echo $line | awk '{print substr($5,5)}'`
S_SOCK=`echo $line | awk '{print substr($7,7)}'`
D_IP=`echo $line | awk '{print substr($6,5)}'`
D_SOCK=`echo $line | awk '{print substr($8,7)}'`
echo "$S_IP:$S_SOCK $D_IP:$D_SOCK"
hping2 $D_IP -R -s $S_SOCK -p $D_SOCK -a $S_IP -k -c 1 >/dev/null 2>/dev/null &
done
Reply to:
- References:
- ip_conntrack
- From: Bjoern Schmidt <bj-schmidt@uni-paderborn.de>