conntrack delete does not stop runnig copy of big file

networking linux iptables nat router

Solution 1:

https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt

nf_conntrack_tcp_loose - BOOLEAN
0 - disabled not 0 - enabled (default)
If it is set to zero, we disable picking up already established connections.

So the already established connection is detected on-the-fly (without SYN/SYN+ACK/ACK involved) and added back as a new conntrack entry. Since it's a new conntrack entry, the nat table will be traversed again and the DNAT rule applied again. Even if one way doesn't work immediately (if there's no SNAT/MASQUERADE defined in addition to the DNAT rule the http server's outgoing packets might appear on WAN as 192.168.3.17 for a short while and be rejected/ignored by 192.168.33.13), as soon as the other way tries again (ACK retry from 192.168.33.13...) this will match.

Type this:

echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose

And try again deleting the conntrack entry with conntrack -D ...

This should hopefully prevent a new conntrack entry to be created and cut the download.

Related

Using iptables to redirect traffic to a dynamic DNS name instead of an IP address?
My monitor doesn't auto-turn off!
Java services stop working when user logs out
MS Security Essentials does not update automatically
How to see a friend's reviews on the App Store?
Assigning Values to Subsets of Subsets
How to bind a list of items to textbox inside stackpanel
Send Email from ASPX page using VB [closed]
How to get random item from a list in python3 without any module
Check if a node is present in Path from A to B in tree
eclipse 2021 version in dynamic web project there is WebContent is not available ! where i am supposed to write my html and java code for servlet? [duplicate]
Formulating the "close enough to zero" condition