Re: ssh connection survives reboot of stateful iptables router
martin f krafft a écrit :
What's the difference between state NEW and --syn?
NEW is based on the packet state as seen by the connection tracking
system. --syn is based on the value of TCP flags in the packet header.
So NEW and --syn must be considered independent, even though the TCP
conntrack internally uses the TCP flags.
You are absolutely right. However, I wonder whether that hole you're
mentioning doesn't already exist anyway, thanks to the "feature" of
No. The hole exist in your ruleset because you made wrong assumptions
about how the TCP conntrack works.
Okay. So a good way to do this would be:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -p tcp --syn -j open-tcp-ports
-A INPUT -m conntrack --ctstate NEW -p udp -j open-udp-ports
-A open-tcp-ports --dport 22 -j ACCEPT
Yes. You just need to add the protocol match (-p tcp) again, because the
--dport match is valid only with TCP and UDP.