I was surprised today to find an SSH connection from my LAN to the 'Net surviving a power cycle of my router -- a laptop running sarge with kernel 2.6 and iptables. I have the following two rules first thing in the FORWARD chain: -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate INVALID -j DROP to me, this means that SYN packets may pass to the actual rules, and packets belonging to a connection known to the router are accepted.
Any packets not belonging to an stablished connection or opening a related connection fall through to the actual filtering rules.
During the reboot, the router surely forgot about the existing connections, so why can the SSH connection persist? Is there some Linux magic going on?
After reboot the packets of your SSH connection were not known to belong to an established connection but fell through to your set of filter rules. I am sure that they were accepted there, resulting in acceptance of further packets of this connection as ESTABLISHED.
Ralf Döblitz