10

Is there any command that can be used to break an existing TCP/IP connection from some program?

Is there anything in a TCP connection the OS is aware of, or do the OS only see TCP transfer on local sockets and doensn't know which request is served to which socket?

For example, if Firefox sends a request to some server's port 80 and is waiting for the answer. Is it possible then to find Firefox listening port and trick Firefox into showing ERR_CONNECTION_REFUSED or something similar.

I would like a solution that does not prevent the data flow and lets the application handle this situation in its way, but rather close the socket or the TCP/IP connection (which should be possible as the socket is something the OS is responsible for I think? Is the connection also a OS property or just something the application does?) so the application would react immediately.

Paul Sweatte
  • 24,148
  • 7
  • 127
  • 265
dronus
  • 10,774
  • 8
  • 54
  • 80

3 Answers3

3

Use tcpkill.

vitaut
  • 49,672
  • 25
  • 199
  • 336
  • 1
    And have appropriate privileges. – S.Lott Jun 03 '11 at 12:36
  • 2
    Note that this command just adds entries to the firewall tables. It doesn't actually close the connection but since FF gets an error for the next packet it tries to send/receive, that should work. – Aaron Digulla Jun 03 '11 at 12:54
  • 2
    So there is no method getting a tcp/ip connection really closed? – dronus Jul 25 '11 at 21:41
  • 1
    I got here from from another question marked as duplicated of this one. And this utility is not on repos of opensuse, debian or ubuntu. At least standard repos. It does not affect me but people who might want to use this utility which is not standard. – RedComet Nov 26 '11 at 13:38
  • @RedComet: It is in Ubuntu universe repos: sudo apt-get install dsniff – vitaut Nov 28 '11 at 07:24
  • @vitaut No disrespect, but Universe is only little less worse than multi-verse quality wise. Using iptables directly is simpler in comparison, and by stantard I mean regular respositories actively mantained. many packages in universe and multiverse are lagging behind. – RedComet Nov 28 '11 at 10:27
2

Cutter

Cutter will send packets to both ends of a TCP/IP connection to close the connection. It is designed to be used on a Linux router to disconnect unwanted connections.

Website: http://www.digitage.co.uk/digitage/software/linux-security/cutter

Debian has a package of it: https://packages.debian.org/stable/cutter

PF4Public
  • 684
  • 6
  • 15
1

My take on this is by using the `iproute2 framework.

Create a blockhole/unreachable bucket routing table (in my example table id 33) through a rule and give it high prio:

# ip rule add from all lookup 33 prio 1

Now find the connections you're trying to block. In my case I have used Chromium to connect to google.com:

# ss -n -e -p | grep "chrom" | grep "173.194.*:443"
ESTAB      0      0               10.211.55.4:46710         173.194.35.2:443    timer: (keepalive,38sec,0) users:(("chromium-browse",8488,106)) uid:1000 ino:38318 sk:f6a4f800
ESTAB      0      0               10.211.55.4:49288        173.194.35.18:443    timer:(keepalive,34sec,0) users:(("chromium-browse",8488,109)) uid:1000 ino:38047 sk:f6a4cb00

So, let's add 173.194.0.0/16 to table 33 and flush the cache:

# ip route add unreachable 173.194.0.0/16 table 33
# ip route flush cache

Try to connect to google.com now in your browser and you will get a ERR_CONNECTION_REFUSEDin your browser.

To lift the veil of your self-imposed blockage, you simple flush the bucket:

# ip route flush table 33

Of course, if you need a more granular distinction, you can use tc and u32 classifier to flag the exact IP:PORT combo (and other packet aspects) and add an fw rule to the bucket (untested):

# tc filter add dev eth1 parent ffff: protocol ip prio 1 u32 \
    match ip src 173.194.0.0/16 match ip dport 443 classid :1
# ip rule add fwmark 1 table 33 prio 1 realms 3/4
ikaerom
  • 538
  • 5
  • 27
  • I think this solution too will make the browser fail to connect, but not to close a connection on the TCP layer, until the browser tries to send something and triggering an timeout. – dronus Jan 04 '14 at 23:04