[Masq] Re: NAT and MASQ on the same interface

Thu, 14 Nov 2002 19:30:51 -0800 

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */

Joerg Peters <[EMAIL PROTECTED]> wrote:
>
> For the problem to kill active connection i use
> iptables -t mangle -A PREROUTING -i eth0 -s  80.133.151.14  -j DROP
> And after a couple of time i delete the DROP

That is an interesting technique.  I think I should give it a try.  :)

> Thanks a lot for your comments.
> I helps me to understand the thinks a little bit better.

I am glad to help.  This is complicated stuff!

> Do you know how i can set the max tracking time. I think a value of  more
> than 431999 seconds is realy to big

I agree that 5 days is quite excessive.  On my previous firewall
(ipchains/2.0) I used a value of 8 hours.  That seemed more reasonable.

> I read something about /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts
> But on my Server thers is no file

There is no such file on my system either, and furthermore my reading of
the Linux source seems to indicate that there is no way to change these
timeouts.  They seem to be hard-coded into the kernel.

>From /usr/src/linux/net/ipvr/netfilter/ip_conntrack_proto_tcp.c:

    static unsigned long tcp_timeouts[]
    = { 30 MINS,    /*      TCP_CONNTRACK_NONE,     */
        5 DAYS,     /*      TCP_CONNTRACK_ESTABLISHED,      */
        2 MINS,     /*      TCP_CONNTRACK_SYN_SENT, */
        60 SECS,    /*      TCP_CONNTRACK_SYN_RECV, */
        2 MINS,     /*      TCP_CONNTRACK_FIN_WAIT, */
        2 MINS,     /*      TCP_CONNTRACK_TIME_WAIT,        */
        10 SECS,    /*      TCP_CONNTRACK_CLOSE,    */
        60 SECS,    /*      TCP_CONNTRACK_CLOSE_WAIT,       */
        30 SECS,    /*      TCP_CONNTRACK_LAST_ACK, */
        2 MINS,     /*      TCP_CONNTRACK_LISTEN,   */
    };

The only way I can see to change these values is to rebuild the
ip_conntrack module, putting your own favorite timeout in place of the
"5 DAYS" shown for the ESTABLISHED state.

It will be difficult to unload/reload the module without removing all
your firewall rules that refer to state tracking.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)     || "Good judgment comes from experience.
sometimes known as David DeSimone  ||  Experience comes from bad judgment."
_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.

Reply via email to