[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection survives reboot of stateful iptables router

--On Montag, Juli 03, 2006 23:52:38 +0200 martin f krafft <madduck@debian.org> wrote:

I was surprised today to find an SSH connection from my LAN to the
'Net surviving a power cycle of my router -- a laptop running sarge
with kernel 2.6 and iptables.

I have the following two rules first thing in the FORWARD chain:

  -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A FORWARD -m conntrack --ctstate INVALID -j DROP

to me, this means that SYN packets may pass to the actual rules, and
packets belonging to a connection known to the router are accepted.

Any packets not belonging to an stablished connection or opening a related connection fall through to the actual filtering rules.

During the reboot, the router surely forgot about the existing
connections, so why can the SSH connection persist? Is there some
Linux magic going on?

After reboot the packets of your SSH connection were not known to belong to an established connection but fell through to your set of filter rules. I am sure that they were accepted there, resulting in acceptance of further packets of this connection as ESTABLISHED.

Ralf Döblitz

Reply to: