Re: ssh connection survives reboot of stateful iptables router
Hello,
martin f krafft a écrit :
Many people have rules like
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
I'd add a condition on state NEW in the second rule.
I've done research and found that
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
This way of building rulesets, first blocking "bad" packets and then
accepting "good" packets assuming that "bad" packets were already
blocked, is wrong. What happens when, for any reason you might imagine,
the rule which is supposed to block first is ineffective ? Your firewall
has a hole. The right way is accepting the "good" packets first and then
dropping the rest.
is the same, meaning that the INVALID state matches all non-SYN
packets at this point.
No, it's not the same at all.
- First ruleset : TCP packets with SYN flag are accepted whatever state
they are in.
- Second ruleset : TCP packets in state other than INVALID are accepted,
whatever TCP flags they have.
You must not assume that --syn and state NEW are equivalent. Depending
on the TCP conntrack behaviour, they're not. Actually the old conntrack
does not really care about the SYN flag.
Actually, both rulesets are wrong. What you want is a combination that
takes the best of each (state NEW *and* SYN flag) :
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -p tcp --syn --dport 22 -j ACCEPT
Reply to: