Drop ALL the TCP connections (ESTABLISHED,RELATED) in Ubuntu

Question

Score:2

Server

Drop ALL the TCP connections (ESTABLISHED,RELATED) in Ubuntu

Dr. Gianluigi Zane Zanettini

4/8/24, 8:48 PM

I'm facing a few hosts sending a flood of requests to my webserver (NGINX). I'm trying to block them via iptables, with ipset and a good old DROP rule.

The rule is effective against NEW connections, but as soon as the kiddies can come in and set up an ESTABLISHED or RELATED connection, my DROP rule fails because my firewall also has a iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT rule.

The relevant section of my firewall config is:

# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0            match-set Blacklist src
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
DROP       all  --  0.0.0.0/0            0.0.0.0/0            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The Blacklist ipset includes the offending IP:

# ipset list Blacklist | grep <attacking-server-ip>
<attacking-server-ip>

The question is: how can I KILL ALL the TCP connections, even the ESTABLISHED or RELATED ones?

Things I've tried:

Stop-wait-30-secs-start the webserver (service nginx stop && sleep 30 && service nginx start) - it was worth a shot, but since the connection is already ESTABLISHED, it persists.

conntrack --flush and conntrack -F. No effect

tcpkill: as long as I keep the process running it kinda works. But as soon as I close the process, the connection come back. I can't really explain it

conntrack -D --orig-src <attacking-server-ip>: the connection got deleted, but then appear back immeditaly.

To check the connection I use:

 netstat -putan | grep '<attacking-server-ip>'
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60763     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60807     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60545     ESTABLISHED 2372190/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59785     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59730     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59841     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60578     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60941     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59390     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59849     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60744     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59766     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59819     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60679     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59603     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60134     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60907     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59732     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60128     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60437     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59623     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59356     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60502     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59414     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60592     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59370     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60861     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59783     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59858     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59769     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60817     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59393     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60479     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60450     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59401     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60838     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60123     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60854     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59445     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59419     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60111     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60934     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60510     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60832     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60922     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60447     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60171     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60536     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59344     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59394     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59369     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60601     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59754     TIME_WAIT   -                   
tcp        0   5534 <my-server-ip>:443       <attacking-server-ip>:60954     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60895     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60236     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60099     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:59460     TIME_WAIT   -                   
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60570     ESTABLISHED 2372191/nginx: work 
tcp        0      0 <my-server-ip>:443       <attacking-server-ip>:60555     ESTABLISHED 2372191/nginx: work

Also:

# conntrack -L --orig-src <attacking-server-ip>
tcp      6 431977 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=62907 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=62907 [ASSURED] mark=0 use=1
tcp      6 431989 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=63062 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=63062 [ASSURED] mark=0 use=1
tcp      6 431976 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=62882 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=62882 [ASSURED] mark=0 use=1
tcp      6 299 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=63215 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=63215 [ASSURED] mark=0 use=1
tcp      6 431975 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=62869 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=62869 [ASSURED] mark=0 use=1
tcp      6 271 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=62800 dport=443 [UNREPLIED] src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=62800 mark=0 use=1
tcp      6 299 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=63211 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=63211 [ASSURED] mark=0 use=1
tcp      6 431977 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=62902 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=62902 [ASSURED] mark=0 use=1
tcp      6 431987 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=63038 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=63038 [ASSURED] mark=0 use=1
tcp      6 431999 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=63195 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=63195 [ASSURED] mark=0 use=1
tcp      6 431976 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=62887 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=62887 [ASSURED] mark=0 use=1
tcp      6 431988 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=63050 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=63050 [ASSURED] mark=0 use=1
tcp      6 431999 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=63201 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=63201 [ASSURED] mark=0 use=1
tcp      6 431998 ESTABLISHED src=<attacking-server-ip> dst=<my-server-ip> sport=63181 dport=443 src=<my-server-ip> dst=<attacking-server-ip> sport=443 dport=63181 [ASSURED] mark=0 use=1
conntrack v1.4.5 (conntrack-tools): 14 flow entries have been shown

1299

1 + 5

linux

firewall

iptables

connection

tcp

Drop ALL the TCP connections (ESTABLISHED,RELATED) in Ubuntu

Post an answer