Iptables rules, why I can SSH in this config?

JamesTUIAT · June 25, 2025, 9:12am

Hi,

I’m surprised that this config let me ssh to the router

ip firewall filter print where chain=input

#only the enabled one.

 0    ;;; defconf: accept established,related,rem untracked
      chain=input action=accept connection-state=established,related 

 1    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 4    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 7    ;;; SSH From inside network
      chain=input action=accept connection-state=new protocol=tcp in-interface=bridge2-5 dst-port=22 log=yes log-prefix="NEW SSH" 

 8    ;;;
      chain=input action=drop


ip firewall filter print where chain=output
# X = disabled

 9    ;;; Output related
      chain=output action=accept connection-state=established,related out-interface=bridge2-5 

10 X  ;;; SSH out
      chain=output action=accept connection-state=new protocol=tcp out-interface=bridge2-5 src-port=22

11    ;;;
      chain=output action=drop log=no log-prefix=""

So I was thinking that the rule 10 was necessary, but it seem not !?
is the rule 0 consider the connection already as related !?

erlinden · June 25, 2025, 9:18am

Looks like you have an explicit rule for this (assuming you are testing from within the LAN?):

chain=input action=accept connection-state=new protocol=tcp in-interface=bridge2-5 dst-port=22 log=yes log-prefix="NEW SSH"

Can you please use export instead of print (the latter makes it less readable).
Or better…add a complete config showing all rules (and other stuff)?

JamesTUIAT · June 25, 2025, 9:23am

Thank you @erlinden ,

This rule is for the incoming packet.
So it automatically accept the output packet too ? server → client ?!!

CGGXANNX · June 25, 2025, 9:24am

You are able to connect via SSH to the router from bridge-2-5 due to the combination of filter rule #7, #0 and #9. #7 allows the first incoming packet of the TCP connection. Any other packets of that connection, in both directions, are allowed by the rules #0 & #9 accepting connection-state=established,related.

JamesTUIAT · June 25, 2025, 9:50am

Thank you @CGGXANNX ,

Indeed, my concern was about the output chain (rule 9 to be precise )

So it’s mean as soon the 7 allow the connection the rule 9 see it as establish ? (for the first attempt) or related ?

Thanks

CGGXANNX · June 25, 2025, 10:06am

Yes, when connection tracking is enabled, if the first packet (where connection-state=new) is not dropped, the connection is tracked and subsequent packets (in both directions), for TCP and UDP this is matched by the two source/destination address & port pairs, will have connection-state=established. Which means the response packets sent by the router to the client will be accepted by rule #9.