[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection survives reboot of stateful iptables router

martin f krafft a écrit :

What's the difference between state NEW and --syn?

NEW is based on the packet state as seen by the connection tracking system. --syn is based on the value of TCP flags in the packet header. So NEW and --syn must be considered independent, even though the TCP conntrack internally uses the TCP flags.

You are absolutely right. However, I wonder whether that hole you're
mentioning doesn't already exist anyway, thanks to the "feature" of
connection pickup.

No. The hole exist in your ruleset because you made wrong assumptions about how the TCP conntrack works.

Okay. So a good way to do this would be:

  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -m conntrack --ctstate NEW -p tcp --syn -j open-tcp-ports
  -A INPUT -m conntrack --ctstate NEW -p udp -j open-udp-ports

  -A open-tcp-ports --dport 22 -j ACCEPT

Yes. You just need to add the protocol match (-p tcp) again, because the --dport match is valid only with TCP and UDP.

Reply to: