[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection survives reboot of stateful iptables router

Felipe Figueiredo <philsf@ufrj.br> writes:
> On Monday 03 July 2006 18:52, martin f krafft wrote:
>> I was surprised today to find an SSH connection from my LAN to the
>> 'Net surviving a power cycle of my router -- a laptop running sarge
>> with kernel 2.6 and iptables.
>> I have the following two rules first thing in the FORWARD chain:
>>   -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>>   -A FORWARD -m conntrack --ctstate INVALID -j DROP
>> to me, this means that SYN packets may pass to the actual rules, and
>> packets belonging to a connection known to the router are accepted.
>> During the reboot, the router surely forgot about the existing
>> connections, so why can the SSH connection persist? Is there some
>> Linux magic going on?
> Since I have experimented something similar, I add to the question: My ssh 
> connections survived for some minutes if I dis-connected/reconnected with my 
> old dialup days. It obviuosly changed IP address.
> How is that possible?

It isn't.  You probably had the same IP address after reconnecting, so
your session continued.  

If you changed IP address then the ssh connection would fail to work,
but it may take some minutes for the TCP stack to give up on the
connection, creating an illusion that it continued to be connected.

I can't comment on the issue the OP raised, but I can note that I have
had SSH sessions cut by having a stateful Linux firewall between the
endpoints reset.


Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707        email: contact@digital-infrastructure.com.au

Reply to: