Re: ssh connection survives reboot of stateful iptables router

To: martin f krafft <madduck@debian.org>
Cc: debian-firewall@lists.debian.org
Subject: Re: ssh connection survives reboot of stateful iptables router
From: SZALAY Attila <sasa@debian.org>
Date: Tue, 11 Jul 2006 12:01:33 +0200
Message-id: <[🔎] 1152612093.2029.21.camel@mochrul.balabit>
In-reply-to: <[🔎] 20060704075626.GA18781@piper.madduck.net>
References: <[🔎] 20060703215238.GA383@piper.madduck.net> <3F7A2A7C77F7B75AE1DA1484@[192.168.1.72]> <[🔎] 20060704075626.GA18781@piper.madduck.net>

Hi All!

On Tue, 2006-07-04 at 09:56 +0200, martin f krafft wrote:
> 
> Many people have rules like
> 
>   -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>   -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
> 
> I've done research and found that
> 
>   -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>   -A INPUT -m conntrack --ctstate INVALID -j DROP
>   -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> 
> is the same, meaning that the INVALID state matches all non-SYN
> packets at this point.

For the same, you must replace the second line with this:

-A INPUT -m conntrack --cstate NEW ! --syn -j DROP

Or for sure, use both line.

Reply to:

References:
- ssh connection survives reboot of stateful iptables router
  - From: martin f krafft <madduck@debian.org>
- Re: ssh connection survives reboot of stateful iptables router
  - From: Ralf Döblitz <ralf@doeblitz.net>
- Re: ssh connection survives reboot of stateful iptables router
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: (crazy?) idea for blocking p2p
Next by Date: DNAT + ADSL... to reduce MTU of the network
Previous by thread: Re: ssh connection survives reboot of stateful iptables router
Next by thread: Re: ssh connection survives reboot of stateful iptables router
Index(es):
- Date
- Thread