[Masq] Re: Timeouts and iptables

[Fuzzy Fox]

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */

Damon Muchmore <[EMAIL PROTECTED]> wrote:
>
> I currently have ipmasq running on a Red Hat 8.0 box using iptables. 
> My problem is that I have a server in the DMZ that I need a continuous
> connection to.  Is there a way with iptables to set timeouts and if so
> how.

My research has led me to believe that the timeouts in iptables are
hard-coded into the kernel.  This is where I found them:

/usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c:

    static unsigned long tcp_timeouts[]
    = { 30 MINS,    /*      TCP_CONNTRACK_NONE,     */
        5 DAYS,     /*      TCP_CONNTRACK_ESTABLISHED,      */
        2 MINS,     /*      TCP_CONNTRACK_SYN_SENT, */
        60 SECS,    /*      TCP_CONNTRACK_SYN_RECV, */
        2 MINS,     /*      TCP_CONNTRACK_FIN_WAIT, */
        2 MINS,     /*      TCP_CONNTRACK_TIME_WAIT,        */
        10 SECS,    /*      TCP_CONNTRACK_CLOSE,    */
        60 SECS,    /*      TCP_CONNTRACK_CLOSE_WAIT,       */
        30 SECS,    /*      TCP_CONNTRACK_LAST_ACK, */
        2 MINS,     /*      TCP_CONNTRACK_LISTEN,   */
    };

As you can see, an established TCP connection will be maintained for
five days.  If that is not "continuous" enough for you, then you may
have to modify this source file, rebuild your kernel (or just this
module), and then install/reboot/reload the kernel/module.

However, these times only apply when there is NO activity on the TCP
connection.  That seems very unlikely to me, that there would be no
activity on a connection for five days.  Many systems will begin sending
TCP keep-alive probes after two hours of inactivity, and it seems that
that would keep the connection tracking active.

Perhaps you could describe your problem in more detail.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)     || "Good judgment comes from experience.
sometimes known as David DeSimone  ||  Experience comes from bad judgment."
_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.