also sprach Ralf Döblitz <ralf@doeblitz.net> [2006.07.04.0927 +0200]:
After reboot the packets of your SSH connection were not known to belong
to an established connection but fell through to your set of filter
rules.
How? I load the DROP rules before the ACCEPT ones. I can't think of
a way this would be possible.
am sure that they were accepted there,
Yes, if they ever got there.
Many people have rules like
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
I've done research and found that
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
is the same, meaning that the INVALID state matches all non-SYN
packets at this point.