Is there any command that can be used to break an existing TCP/IP connection from some program?
Is there anything in a TCP connection the OS is aware of, or do the OS only see TCP transfer on local sockets and doensn't know which request is served to which socket?
For example, if Firefox sends a request to some server's port 80 and is waiting for the answer. Is it possible then to find Firefox listening port and trick Firefox into showing ERR_CONNECTION_REFUSED
or something similar.
I would like a solution that does not prevent the data flow and lets the application handle this situation in its way, but rather close the socket or the TCP/IP connection (which should be possible as the socket is something the OS is responsible for I think? Is the connection also a OS property or just something the application does?) so the application would react immediately.
Cutter
Cutter will send packets to both ends of a TCP/IP connection to close the connection. It is designed to be used on a Linux router to disconnect unwanted connections.
Website: http://www.digitage.co.uk/digitage/software/linux-security/cutter
Debian has a package of it: https://packages.debian.org/stable/cutter
My take on this is by using the `iproute2
framework.
Create a blockhole/unreachable bucket routing table (in my example table id 33) through a rule and give it high prio:
# ip rule add from all lookup 33 prio 1
Now find the connections you're trying to block. In my case I have used Chromium to connect to google.com:
# ss -n -e -p | grep "chrom" | grep "173.194.*:443"
ESTAB 0 0 10.211.55.4:46710 173.194.35.2:443 timer: (keepalive,38sec,0) users:(("chromium-browse",8488,106)) uid:1000 ino:38318 sk:f6a4f800
ESTAB 0 0 10.211.55.4:49288 173.194.35.18:443 timer:(keepalive,34sec,0) users:(("chromium-browse",8488,109)) uid:1000 ino:38047 sk:f6a4cb00
So, let's add 173.194.0.0/16 to table 33 and flush the cache:
# ip route add unreachable 173.194.0.0/16 table 33
# ip route flush cache
Try to connect to google.com now in your browser and you will get a ERR_CONNECTION_REFUSED
in your browser.
To lift the veil of your self-imposed blockage, you simple flush the bucket:
# ip route flush table 33
Of course, if you need a more granular distinction, you can use tc
and u32 classifier to flag the exact IP:PORT
combo (and other packet aspects) and add an fw rule to the bucket (untested):
# tc filter add dev eth1 parent ffff: protocol ip prio 1 u32 \
match ip src 173.194.0.0/16 match ip dport 443 classid :1
# ip rule add fwmark 1 table 33 prio 1 realms 3/4