Timeline for Conntrack and dynamic ipset/iptables rules
Current License: CC BY-SA 4.0
4 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 3, 2019 at 15:20 | vote | accept | Groosha | ||
| Jun 3, 2019 at 15:09 | comment | added | telcoM | The order of the rules matters. If you want the existing connections to keep working, you must have the rule that ACCEPTs packets that are part of ESTABLISHED connections before the rule that targets all packets going to destination port 22 and DROPs them. | |
| Jun 3, 2019 at 14:53 | comment | added | Groosha | My iptables are empty (did a reboot, nothing is restored afterwards). I did 2 tests: 1) executed iptables -t filter -A FORWARD -p tcp --dport 22 -j DROP and 2) executed iptables -t filter -A FORWARD -p tcp --dport 22 -m conntrack --ctstate NEW -j DROP (tried with NEW,ESTABLISHED,RELATED as well). In all cases my existing SSH connection was frozen until I removed that rules. | |
| Jun 3, 2019 at 14:42 | history | answered | telcoM | CC BY-SA 4.0 |