Re: ssh connection survives reboot of stateful iptables router

On Tue, 4 Jul 2006, martin f krafft wrote:

> also sprach Rene Mayrhofer <rene.mayrhofer@gibraltar.at> [2006.07.04.1013 +0200]:
> > That must be connection pickup. At
> > http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > search for "pickup".
> Excellent pointer, and yet another reason why we should really be
> looking for alternatives to the Linux kernel.
>   The default, without the tcp-window-tracking patch, is to have
>   this behaviour, and is not changeable.

Oskar's tutorial is really excellent, alas at some point it's outdated.

First, in the 2.6 kernel tree, you can disable connection pickup via
sysctl. Second, you can setup your rules anytime, regardless of 2.4/2.6,
which disables connection pickup. For example:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT

