Conntrack: Does deletion of conntrack entry delete the tcp connection?

Question

I am wondering if Conntrack -D deletes the tcp connection or does it just delete the connection tracking entry?

I established an ssh to my router and then deleted the entry using Conntrack -D command. I can see that the entry gets deleted but I see that the ssh session is still alive on the terminal.

Also, I see the entry again on doing a show using Conntrack -L but this time with a different Connection ID but same ports.

Could it be that the connection gets re-initiated by the shell / ssh program on the terminal? Or is it the expected behaviour from Conntrack.

I am a newbie and not sure if this question should belong to iptables tag or not, please redirect me if that is the case.

score 4 · Accepted Answer · answered Nov 07 '11 at 21:39

Conntrack just enables you to view and manipulate the stateful data about connections. It doesn't manipulate the the TCP packets flowing as part of that ssh connection.

If you want to break the ssh session, and you just delete that connection's state data, a new connection will begin being tracked. Just as when the ssh session was initially detected as a new connection, the protocol tracking just sees the next packet in the ongoing ssh session and begins tracking that connection.

If you want to break the connection, you need to remove the iptables rule which allows that session to start. Then when drop the connection via Conntrack, the next packet which is part of the ssh session will be denied by your firewall, (presuming it is otherwise configured to drop packets not part of some connection being tracked,) and the ssh session will cease to work.

Ok, that seems to be happening. I see a new connection ID at times and sometimes the same ID gets allocated, probably. Thanks — SeattleOrBayArea, Nov 07 '11 at 21:55

Conntrack: Does deletion of conntrack entry delete the tcp connection?

1 Answers1