Iptables – conntrack -L does not show any connection

Conntrack just enables you to view and manipulate the stateful data about connections. It doesn't manipulate the the TCP packets flowing as part of that ssh connection.

If you want to break the ssh session, and you just delete that connection's state data, a new connection will begin being tracked. Just as when the ssh session was initially detected as a new connection, the protocol tracking just sees the next packet in the ongoing ssh session and begins tracking that connection.

If you want to break the connection, you need to remove the iptables rule which allows that session to start. Then when drop the connection via Conntrack, the next packet which is part of the ssh session will be denied by your firewall, (presuming it is otherwise configured to drop packets not part of some connection being tracked,) and the ssh session will cease to work.

I realise you stated that you want to keep the original IP address hitting your Python server, but you might be taking the wrong approach here. It's standard practice to pass through the original IP address via HTTP in the X-Forwarded-For header. Most web frameworks will pick up this header and use in place of the original IP address if it's specified.

If you wanted to go down that road, all you'd need is a front end web server. It's a good idea to have a front end, anyway: it's more secure because no-one has direct access to your app server, and you can easily implement services like HTTPS and caching without taking more CPU cycles on the app server. Something like Nginx would do the trick beautifully.