[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection survives reboot of stateful iptables router

On Tue, 4 Jul 2006, martin f krafft wrote:

> Many people have rules like
>
>   -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>   -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
>
> I've done research and found that
>
>   -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>   -A INPUT -m conntrack --ctstate INVALID -j DROP
>   -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>
> is the same, meaning that the INVALID state matches all non-SYN
> packets at this point.

That's plain false: the INVALID state does not match all non-SYN packets
at that point. It's nowhere written or stated in any decent documentation.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
Reply to: