[olug] How can I sever IPtables established connections for only certain IPs?
Eric W. Biederman
ebiederm at xmission.com
Tue May 23 17:31:10 CDT 2023
Ben Hollingsworth <obiwan at jedi.com> writes:
2> The devices are all DHCP, and that's a very interesting idea. I'd
> need to set the lease duration quite short in order for the renewal to
> happen in a timely fashion after bedtime. I wonder what adverse
> affects one might see from, say, a 15-minute lease that's constantly
> renewing all day. I wouldn't need to worry about the new lease
> dropping the connection, because I could just assign them a new IP in
> a subnet that doesn't get routed past the firewall.
>
> My original question was whether or not active connections could be
> terminated on command from IPtables. I'm not aware of how to do that,
> and google's been unhelpful.
Looking there is a way, and you need to use the conntrack tool
to delete existing conntrack entries. Reading the manpage it
looks like the basic command is "conntrack -D".
If your children's ip is 192.168.1.2 I think you can just do:
conntrack -D --src 192.168.1.2
conntrack -D --dst 192.168.1.2
The manual for conntract is available here:
https://conntrack-tools.netfilter.org/manual.html
On debian you can install conntrack with:
apt-get install conntrack
I get the feeling from reading the manual that conntrack was mostly
written as a simple command line utility to the facilities that were
added to make the conntrackd daemon. The conntrackd daemon allows
conntrack state to be synchronized between two systems.
This should all relevant for either iptables or nftables as last
I looked the conntrack subsystem was shared between them.
Eric
More information about the OLUG
mailing list