[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ssh connection survives reboot of stateful iptables router

I was surprised today to find an SSH connection from my LAN to the
'Net surviving a power cycle of my router -- a laptop running sarge
with kernel 2.6 and iptables.

I have the following two rules first thing in the FORWARD chain:

  -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A FORWARD -m conntrack --ctstate INVALID -j DROP

to me, this means that SYN packets may pass to the actual rules, and
packets belonging to a connection known to the router are accepted.
During the reboot, the router surely forgot about the existing
connections, so why can the SSH connection persist? Is there some
Linux magic going on?

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
consciousness: that annoying time between naps.

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: