I've noticed a problem when I restart iptables (ie. for the loading of a
change to rules). But it's not a complete problem, which is even weirder
than the problem itself.
I've an early rule "-m state --state ESTABLISHED,RELATED -j ACCEPT" to
permit inbound traffic that's a response to outbound. Pretty
conventional. One example of how this gets used is when I ssh out.
What is odd is what occurs when I've an SSH session open at the time I
restart iptables. Some inbound packets on the SSH session are rejected,
obviously not matching the above ESTABLISHED,RELATED. But not all!
I noticed this when I was running MythTV over port forwarding. It had
been working fine. After the restart of iptables, display of a video was
jittery. I then looked into the log and saw a lot of rejected inbound
SSH packets. But obviously not all were being rejected as the video
*was* playing, if badly.
Restarting the SSH session solved the problem.
So why are *some* of the packets failing to match on
ESTABLISHED,RELATED? I could understand none or all, but some?
And is there a way to reload iptables rules w/o losing the connection
session information that causes this? Or is there perhaps a way to
recreate the session information (ie. something which adds a TCP circuit
to the database even if there's no SYN packet seen perhaps?)?