Existing connections / changing IpTables

[Robert Nichols]

Richard Emberson wrote:
> Thank you for response.
> What I was asking was: You've got an existing set of IpTable rules and you
> have a set of current/active connections that are governed by those 
> rules. If you then change the rules, what happens to the existing 
> connections?
> Are they still associated with the old rules or are the new rules applied.
> 
> If an old rule says that a connection from a particular machine is allowed
> and you currently have such a connection and then you install new rules
> that disallow connections from that machine - will the existing connection
> be terminated or still remain open?

The packets would be filtered according to the new rules.  But, one of
the first rules in most rule sets is a rule that allows packets for any
EXISTING or RELATED connection.  Loading a new iptables rule set does
not flush the conntrack table, so packets for the old connections would
still get through unless blocked by something earlier than that rule.

One caveat -- some people think of a browser session as a "connection".
A web browser may open many TCP connections in the course of fetching a
web page and its related files, and as far as conntrack is concerned
those are all totally independent connections.  Contrast that with
an FTP session, where each data connection is RELATED to the original
control connection (ignoring the possibility of 3rd party FTP, which
is pretty much a dead issue on today's Internet).

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.