[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection survives reboot of stateful iptables router

also sprach Pascal Hambourg <pascal.mail@plouf.fr.eu.org> [2006.07.04.1222 +0200]:
> >  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> >  -A INPUT -m conntrack --ctstate NEW -p tcp --syn -j open-tcp-ports
> >  -A INPUT -m conntrack --ctstate NEW -p udp -j open-udp-ports
> >
> >  -A open-tcp-ports --dport 22 -j ACCEPT
> Yes. You just need to add the protocol match (-p tcp) again, because the 
> --dport match is valid only with TCP and UDP.

Right. One other question before I go and try out what I learnt
today: on the basis that it's not okay to drop bad packets before
accepting good packets, the following would not be okay even though
they're logically equivalent?

  drop INVALID
  accept NEW --dport ssh --syn


  drop INVALID
  drop ! NEW
  drop ! --syn
  accept --dport ssh


Thanks guys for your patience.

... and I thought I had moderately understood this stuff.

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
"an intellectual is someone who has found
 something more interesting than sex."
                                                      -- edgar wallace

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: