Yes, once a connection has past the nat tables, and it's on the kernel connection tracker, it will keep working even if you remove the nat rule.
Doing that would require manipulating the kernel connection tracking to kill that connection, I'm not familiar with that part of the linux network stack, not sure if it's possible, but that would be the perfect way. (kill nat connection on ext ip=float ip int_ip = internal ip)... ----- Original Message ----- > Hi folks, > > After we create an SSH connection to a VM via its floating ip, even though we > have removed the floating ip association, we can still access the VM via > that connection. Namely, SSH is not disconnected when the floating ip is not > valid. Any good solution about this security issue? > > Thanks > Xurong Yang > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
