Join Log in
Score:1
Văn Thôi Võ avatar Ubuntu

How to drop an existing connection on Ubuntu 20.04 server?

ru flag
Văn Thôi Võ

I executed the following command to ban them. But it didn't work. It only works when there is a new connection from that IP.

sudo ufw insert 1 deny from 46.1.67.244 to any && sudo ufw reload

status ufw: Anywhere DENY 46.1.67.244

I have a service that is always listening on port A The connection from that ip is always kept, it just loses the connection when I stop the service. How can I drop this current connection without stopping the service?

173
1 + 1
ufw
sean avatar
st flag
sean
We need the output of: ```ufw status verbose``` to see what is going on here.
0
Reply
Score:0
Doug Smythies avatar Ubuntu
gn flag
Doug Smythies

UFW is just a front end for iptables. Typically, the generated rule set has as RELATED,ESTABLISHED ACCEPT rule early in the INPUT chain. If you add a specific DROP rule before that generic rule, the packets should be intercepted and dropped.

In this example, I will add a rule and drop subsequent packets from 192.168.111.122 to my main test server at 192.168.111.132. For demonstration, I have a very simple iptables rule set:

$ sudo iptables -xvnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       2      100 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
       0        0 LOG        tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID LOG flags 0 level 6 prefix "IINVALID:"
       0        0 DROP       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
       0        0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 ctstate NEW LOG flags 0 level 6 prefix "NEW TCP no SYN:"
       0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 ctstate NEW
     159    11289 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       1       52 ACCEPT     tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

And am currently connected via SSH from 2 computers:

$ who
doug     pts/0        2023-01-05 15:55 (192.168.111.1)
doug     pts/1        2023-01-05 15:56 (192.168.111.122)

Now add the new rule to DROP packets from 192.168.111.122:

$ sudo iptables -I INPUT 2 -s 192.168.111.122 -i br0 -j DROP

The SSH session terminates (might take a while).

$ client_loop: send disconnect: Connection reset

And packets are being dropped:

$ sudo iptables -xvnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
      26     2926 DROP       all  --  br0    *       192.168.111.122      0.0.0.0/0
       0        0 LOG        tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID LOG flags 0 level 6 prefix "IINVALID:"
       0        0 DROP       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
       0        0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 ctstate NEW LOG flags 0 level 6 prefix "NEW TCP no SYN:"
       0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 ctstate NEW
     100     8437 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       1       52 ACCEPT     tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Note that the session still shows as logged in, but it will eventually be deleted:

$ who
doug     pts/0        2023-01-05 15:55 (192.168.111.1)
doug     pts/1        2023-01-05 15:56 (192.168.111.122)
+ 3
Văn Thôi Võ avatar
ru flag
Văn Thôi Võ
I tried, it just clears from list connect. It does not disconnect. I had to stop the service to get it to disconnect!
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
To try to understand why it didn't work, we would have to review your UFW generated iptables rules. UFW generated iptables rule sets are difficult to read/follow.
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
Okay, wrote a new answer.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.