On Tue, 14 Aug 2018 15:19:27 -0700 "Doug Smythies" <dsmyth...@telus.net> wrote:
> I don't know what to say, it is 100% repeatable for me, on multiple > computers. I do not doubt that, just curious what's the configuration difference and how I still didn't hit that. > There has to be some traffic on the SSH session while the rules > are disabled for this to occur. There is, in my case. > Also, the session has to have been started > with the rules in place. That's met too. > Additionally, and just learned from Florian's e-mail: > > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal > > has to be 0. Set to 0 on my systems. > https://askubuntu.com/questions/1059781/ufw-allows-22-for-ipv4-and-ipv6-but-ssh-disconnects-when-enabling Here is the difference. Your script: $IPTABLES -A INPUT -i $EXTIF -p tcp -m conntrack --ctstate INVALID -j DROP $IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP $IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT It seems that if the kernel now empties the conntrack table due to no conntrack rules in iptables, with such a ruleset there will be no record for your SSH connection, so it can't continue, unless initiated again (NEW) specifically as a new connection (--syn). You can check if that's indeed the case by comparing contents of "/proc/net/nf_conntrack" before and after reset. And here's why it still works for me. In my case the rules are just: -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m set --match-set myipv4 src -m tcp --dport 22 -j ACCEPT (the ipset part should be irrelevant) I accept everything to port 22, without involving -m conntrack. Personally I prefer the firewall to be as stateless as possible (and switched to fully stateless on several machines, at least on the IPv6 side). Is there a significant reason for filtering it as strictly as in your example, e.g. what kind of threats the more strict rules are preventing that mine don't? -- With respect, Roman
