On Wed, Apr 17, 2002 at 08:09:46PM -0300, Juan Carlos Castro y Castro wrote:
> Hello all, I'm working on an Internet access control system for LANs > based on iptables. A user logs in via browser, and the underlying CGI > talks to a daemon which sets up iptables rules which grant Internet > access to the originating IP. This works well. > > When an user clicks on "disconnect", the system deletes the > corresponding iptables rules. This also works well. > > The problem is: currently active connections (telnet, ssh, mysql etc) > stay active even after disconnect. This opens the possibility of > completely cheating the system with an IP-over-IP tunnel. Can you explain about this cheating the system with an IP-over-IP tunnel? > > What I'd like to do is either kill all currently active connections from > that IP or stopping packet mangling according to rules that no longer > exist. Any suggestion would be greatly appreciated. Can you not rmmod the conntrack and insmod it back in? Ramin > > Cheers to all, > > -- > Juan Carlos Castro y Castro | "Standing up to an evil system is > [EMAIL PROTECTED] | exhilarating." -Richard Stallman > Rio de Janeiro - Brazil | http://www.vialink.com.br/~jcastro >
