[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection survives reboot of stateful iptables router

On Tue, 4 Jul 2006, martin f krafft wrote:

> also sprach Rene Mayrhofer <rene.mayrhofer@gibraltar.at> [2006.07.04.1013 +0200]:
> > That must be connection pickup. At
> > http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > search for "pickup".
>
> Excellent pointer, and yet another reason why we should really be
> looking for alternatives to the Linux kernel.
>
>   The default, without the tcp-window-tracking patch, is to have
>   this behaviour, and is not changeable.

Oskar's tutorial is really excellent, alas at some point it's outdated.

First, in the 2.6 kernel tree, you can disable connection pickup via
sysctl. Second, you can setup your rules anytime, regardless of 2.4/2.6,
which disables connection pickup. For example:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
Reply to: