[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection survives reboot of stateful iptables router

also sprach Ralf Döblitz <ralf@doeblitz.net> [2006.07.04.0927 +0200]:
> After reboot the packets of your SSH connection were not known to belong to 
> an established connection but fell through to your set of filter rules.

How? I load the DROP rules before the ACCEPT ones. I can't think of
a way this would be possible.

> am sure that they were accepted there,

Yes, if they ever got there.

Many people have rules like

  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT

I've done research and found that

  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -m conntrack --ctstate INVALID -j DROP
  -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

is the same, meaning that the INVALID state matches all non-SYN
packets at this point.

Still surprised,

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
"in a country where the sole employer is the state, opposition means
 death by slow starvation. the old principle: who does not work shall
 not eat, has been replaced by a new one: who does not obey shall not
                                                 -- leon trotsky, 1937

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: