How do I break an arbitrary TCP/IP connection on L

2019-02-12 12:38发布

问题:

Is there any command that can be used to break an existing TCP/IP connection from some program?

Is there anything in a TCP connection the OS is aware of, or do the OS only see TCP transfer on local sockets and doensn't know which request is served to which socket?

For example, if Firefox sends a request to some server's port 80 and is waiting for the answer. Is it possible then to find Firefox listening port and trick Firefox into showing ERR_CONNECTION_REFUSED or something similar.

I would like a solution that does not prevent the data flow and lets the application handle this situation in its way, but rather close the socket or the TCP/IP connection (which should be possible as the socket is something the OS is responsible for I think? Is the connection also a OS property or just something the application does?) so the application would react immediately.

回答1:

Use tcpkill.



回答2:

Cutter

Cutter will send packets to both ends of a TCP/IP connection to close the connection. It is designed to be used on a Linux router to disconnect unwanted connections.

Website: http://www.digitage.co.uk/digitage/software/linux-security/cutter

Debian has a package of it: https://packages.debian.org/stable/cutter



回答3:

My take on this is by using the `iproute2 framework.

Create a blockhole/unreachable bucket routing table (in my example table id 33) through a rule and give it high prio:

# ip rule add from all lookup 33 prio 1

Now find the connections you're trying to block. In my case I have used Chromium to connect to google.com:

# ss -n -e -p | grep "chrom" | grep "173.194.*:443"
ESTAB      0      0               10.211.55.4:46710         173.194.35.2:443    timer: (keepalive,38sec,0) users:(("chromium-browse",8488,106)) uid:1000 ino:38318 sk:f6a4f800
ESTAB      0      0               10.211.55.4:49288        173.194.35.18:443    timer:(keepalive,34sec,0) users:(("chromium-browse",8488,109)) uid:1000 ino:38047 sk:f6a4cb00

So, let's add 173.194.0.0/16 to table 33 and flush the cache:

# ip route add unreachable 173.194.0.0/16 table 33
# ip route flush cache

Try to connect to google.com now in your browser and you will get a ERR_CONNECTION_REFUSEDin your browser.

To lift the veil of your self-imposed blockage, you simple flush the bucket:

# ip route flush table 33

Of course, if you need a more granular distinction, you can use tc and u32 classifier to flag the exact IP:PORT combo (and other packet aspects) and add an fw rule to the bucket (untested):

# tc filter add dev eth1 parent ffff: protocol ip prio 1 u32 \
    match ip src 173.194.0.0/16 match ip dport 443 classid :1
# ip rule add fwmark 1 table 33 prio 1 realms 3/4


标签: linux tcp