iptables restart, existing sessions, and ESTABLISHED,RELATED rules

iptables restart, existing sessions, and ESTABLISHED,RELATED rules

Post by Andrew Gideo » Sun, 13 Jul 2008 22:10:06

I've noticed a problem when I restart iptables (ie. for the loading of a
change to rules).  But it's not a complete problem, which is even weirder
than the problem itself.

I've an early rule  "-m state --state ESTABLISHED,RELATED -j ACCEPT" to
permit inbound traffic that's a response to outbound.  Pretty
conventional.  One example of how this gets used is when I ssh out.

What is odd is what occurs when I've an SSH session open at the time I
restart iptables.  Some inbound packets on the SSH session are rejected,
obviously not matching the above ESTABLISHED,RELATED.  But not all!

I noticed this when I was running MythTV over port forwarding.  It had
been working fine.  After the restart of iptables, display of a video was
jittery.  I then looked into the log and saw a lot of rejected inbound
SSH packets.  But obviously not all were being rejected as the video
*was* playing, if badly.

Restarting the SSH session solved the problem.

So why are *some* of the packets failing to match on
ESTABLISHED,RELATED?  I could understand none or all, but some?

And is there a way to reload iptables rules w/o losing the connection
session information that causes this?  Or is there perhaps a way to
recreate the session information (ie. something which adds a TCP circuit
to the database even if there's no SYN packet seen perhaps?)?



1. Iptables and connection related established

I'm running iptables 1.2.2 on Redhat 7.1.  I have a default rule of DROP
for incomming packets and then allow what I want through.  Anything that
I initiate from my end that sends a return packet I need to make sure
that I specifically allow those packets through in my rules, like
connecting to an FTP site.

My question is, is it safe to set up a default rule to allow any
incoming packet that is related to what I'm sending out?  I just want to
make sure that iptables is secure in that sense so it wouldn't allow
anything in that wasn't related to what I was sending out.

A rule somthing like this:

   iptables -A INPUT -i $EXTERNAL_INTERFACE -p all -m state --state

2. Need help w/ PC Logic modem

3. iptables: ESTABLISHED,RELATED but some ACK or RST rejected

4. Sony CD cdu31a installation ?


6. AOL to buy RedHat

7. udp not RELATED,ESTABLISHED with iptables?

8. how to format harddisk?

9. iptables: difference btw. ESTABLISHED & RELATED

10. Connection related/established with iptables

11. iptables, "established" rule for NFS traffic

12. iptables rules not accepting 'RELATED'

13. iptables rule disappear after restart the service