Is there a way to temporary reject connection from and to a certain IP without restarting any service? (TCPKill-like app)

Hello Guys,

I'm looking for a way to test the ability of the VoIP apps I'm using to connect to the alternatively provided servers.
I want to "kill" their connection with an external IP and don't allow them to connect for few seconds until they connect to secondary returned SBC in the SRV request they'd sent.

10.0.0.155 - machine with VoIP app
166.166.66.55 - primary server
166.166.66.66 - secondary server

Example:

  1. 10.0.0.155 establishes SIP connection with 166.166.66.55 on port 5060.
  2. I enter the router with SSH and terminate that connection with something similar to "tcpkill -i br-lan host 166.166.66.55"
  3. 10.0.0.155 attempts to re-establish connection with 166.166.66.55, but the connection is rejected/dropped.
  4. 10.0.0.155 re-tries few times and then establishes connection with secondary server - 166.166.66.66.
  5. I then allow the connection to the 166.166.66.55, so 10.0.0.155 can connect to it if something happens with the connection to 166.166.66.66.
  6. Finally I stop the connection to 166.166.66.66 with something similar to "tcpkill -i br-lan host 166.166.66.66" and 10.0.0.155 is able to connect back to 166.166.66.55.

Is there similar alternative to TCPKill which I can use without restarting the router?

Thanks!

try netem or for specific connection based denials you might wish to custom script something with iptables string module and/or conntrack... as a last option with the most control... iptables userland python...

1 Like

iptables -I FORWARD -s 10.0.0.155/32 -d 166.166.66.55/32 -j DROP

iptables -D FORWARD -s 10.0.0.155/32 -d 166.166.66.55/32 -j DROP

iptables -I FORWARD -s 10.0.0.155/32 -d 166.166.66.66/32 -j DROP

If you want to forbid only the SIP signaling traffic:

iptables -I FORWARD -m udp -p udp -s 10.0.0.155/32 -d 166.166.66.55/32 --dport 5060 -j DROP
3 Likes

Redirect the calls to the IP you don't want to use, to the IP you want, in the firewall?

1 Like

i'm not really seeing a need to be so exact here... its alot more complex... but I can see how it is more beneficial...

just stress test over a longer period with 50% netem loss or something... for the actual conntrack hooks... you can also use state + limit and/or ipsets+timeouts rules...

1 Like

This seems to be really good solution. I didn't know that there is -D parameter which deletes the rule. I read that can even use -A in order to add the rule as a last one and then -D to delete it. I can even create a script doing it.

I have to fill that gap of IPtables knowledge...

Thanks!

1 Like

This is good solution as well, if I could mark two answers as possible solutions I would mark yours as well :slight_smile:

With "tc" I can set 100% packet loss which will do the trick, I think.

Thanks a lot for your reply!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.