SSH Connections Lost After 1 minute idle

SSH Connections Lost After 1 minute idle

[Real Cucumber]

I have a fedora firewall/router using iptables to
forward incoming SSH packets to an internal server and
it works great....however, only if the user does not
remain idle for 1 minute.  If they idle for 1 minute,
the connection "freezes" in the sense that it drops
the connection but its not a proper "connectoin
closed" from the server as if it is a timelimit, but
rather just a connectoin loss like you've unplugged
your cable in the middle of a connection.

If the user is connecting from within the network,
they can remain idle for an unlimited amount of time
without being disconnected.  It is only ones
connecting from outside hte network going through the
iptables firewall that have this idle problem.

I am only allowing TCP and UDP for SSH to be
forwarded.

Do I need any ICMP or any other special connection
timeout rules on the iptables side to fix this
problem?

Any help appreciated!




	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

Re: SSH Connections Lost After 1 minute idle

[Antony Stone]

On Tuesday 13 July 2004 5:51 pm, Real Cucumber wrote:

> I have a fedora firewall/router using iptables to
> forward incoming SSH packets to an internal server and
> it works great....however, only if the user does not
> remain idle for 1 minute.  If they idle for 1 minute,
> the connection "freezes"
>
> If the user is connecting from within the network,
> they can remain idle for an unlimited amount of time
> without being disconnected.  It is only ones
> connecting from outside hte network going through the
> iptables firewall that have this idle problem.
>
> I am only allowing TCP and UDP for SSH to be
> forwarded.

I assume you mean TCP for SSH and TCP/UDP for DNS?   (You don't need UDP for 
SSH...)

> Do I need any ICMP or any other special connection
> timeout rules on the iptables side to fix this problem?

You should not completely block ICMP, although I regard that as a side issue 
and not necessarily the cause of your problem.

It sounds like an ARP cache timeout problem to me.

Try the following test:

1. Connect from an external client to the internal SSH server.
2. Log in on the console of the SSH server (ie: not using the SSH connection) 
and start a ping to the firewall (I don't care whether it gets replies or 
not).
3. Type some command on the SSH client and check you get a response.
4. Wait >1 minute and then type another command on the SSH client and check 
you still get a response.
5. Cancel the ping test from the SSH server to the firewall.
6. Wait >1 minute and then type another command on the SSH client and see if 
the connection has died.

If the above confirms that during a ping, the connection is maintained, and in 
the absence of a ping, the connection dies, then it strongly suggests that 
the firewall is losing the MAC address of the SSH server after a period of no 
activity (or perhaps the SSH server loses the MAC address of the Firewall - 
check both arp caches with "arp -an" on each machine to find out).

It might help to post your ruleset so we can comment on anything we see that 
might cause this problem.

Regards,

Antony.

-- 
Microsoft may sell more software than any other company, but McDonald's sell 
more burgers than any other company, and I think the other similarities are 
obvious...

                                                     Please reply to the list;
                                                           please don't CC me.

Re: SSH Connections Lost After 1 minute idle

[Real Cucumber]

Why should ICMP not be completely blocked? The machine
is used strictly as a port forwarding firewall/router.

Also it does appear to be arp related. On the fireawll
the arp -a does not keep the connecting host in its
cache for long.  If I connect I see it, but after a
few minutes it disappears.  Is there anyway to fix
that?



--- Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Tuesday 13 July 2004 5:51 pm, Real Cucumber
> wrote:
> 
> > I have a fedora firewall/router using iptables to
> > forward incoming SSH packets to an internal server
> and
> > it works great....however, only if the user does
> not
> > remain idle for 1 minute.  If they idle for 1
> minute,
> > the connection "freezes"
> >
> > If the user is connecting from within the network,
> > they can remain idle for an unlimited amount of
> time
> > without being disconnected.  It is only ones
> > connecting from outside hte network going through
> the
> > iptables firewall that have this idle problem.
> >
> > I am only allowing TCP and UDP for SSH to be
> > forwarded.
> 
> I assume you mean TCP for SSH and TCP/UDP for DNS?  
> (You don't need UDP for 
> SSH...)
> 
> > Do I need any ICMP or any other special connection
> > timeout rules on the iptables side to fix this
> problem?
> 
> You should not completely block ICMP, although I
> regard that as a side issue 
> and not necessarily the cause of your problem.
> 
> It sounds like an ARP cache timeout problem to me.
> 
> Try the following test:
> 
> 1. Connect from an external client to the internal
> SSH server.
> 2. Log in on the console of the SSH server (ie: not
> using the SSH connection) 
> and start a ping to the firewall (I don't care
> whether it gets replies or 
> not).
> 3. Type some command on the SSH client and check you
> get a response.
> 4. Wait >1 minute and then type another command on
> the SSH client and check 
> you still get a response.
> 5. Cancel the ping test from the SSH server to the
> firewall.
> 6. Wait >1 minute and then type another command on
> the SSH client and see if 
> the connection has died.
> 
> If the above confirms that during a ping, the
> connection is maintained, and in 
> the absence of a ping, the connection dies, then it
> strongly suggests that 
> the firewall is losing the MAC address of the SSH
> server after a period of no 
> activity (or perhaps the SSH server loses the MAC
> address of the Firewall - 
> check both arp caches with "arp -an" on each machine
> to find out).
> 
> It might help to post your ruleset so we can comment
> on anything we see that 
> might cause this problem.
> 
> Regards,
> 
> Antony.
> 
> -- 
> Microsoft may sell more software than any other
> company, but McDonald's sell 
> more burgers than any other company, and I think the
> other similarities are 
> obvious...
> 
>                                                     
> Please reply to the list;
>                                                     
>       please don't CC me.
> 
> 
> 



		
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo 

Re: SSH Connections Lost After 1 minute idle

[Antony Stone]

On Tuesday 13 July 2004 9:57 pm, Real Cucumber wrote:

> Why should ICMP not be completely blocked? The machine
> is used strictly as a port forwarding firewall/router.

Because blocking all ICMP will break networking.   Look up the RFCs explaining 
what ICMP is for if you do not understand this.

> Also it does appear to be arp related. On the fireawll
> the arp -a does not keep the connecting host in its
> cache for long.  If I connect I see it, but after a
> few minutes it disappears.  Is there anyway to fix
> that?

I am not certain of the exact solution to your problem.   It could be:

1. Hardware problem (NIC)
2. Due to your blocking ICMP (although I can't explain a complete reason why)
3. A strange network setup (you haven't described your physical network 
layout)
4. Something else ?

If you are having a problem with the arp cache on the firewall keeping the MAC 
address of the SSH server, can you check to see whether it successfuly 
retains the MAC addresses of other machines on your network?

A packet sniffer (eg: ethereal) between the firewall and the SSH server may 
show whether ARP requests are not being sent, or ARP reponses are not being 
returned.

Regards,

Antony.

-- 
Never automate fully anything that does not have a manual override capability. 
Never design anything that cannot work under degraded conditions in emergency.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: SSH Connections Lost After 1 minute idle

[Dick St.Peters]

Antony Stone writes:
> On Tuesday 13 July 2004 9:57 pm, Real Cucumber wrote:
> 
> > Why should ICMP not be completely blocked? The machine
> > is used strictly as a port forwarding firewall/router.
> 
> Because blocking all ICMP will break networking.   Look up the RFCs explaining 
> what ICMP is for if you do not understand this.

I would like to second this vigorously, although I would phrase it
differently: blocking ICMP makes networks fragile.  Fragile networks
break easily when anything out of the ordinary happens.

--
Dick St.Peters, stpeters@NetHeaven.com 

Re: SSH Connections Lost After 1 minute idle

[Antony Stone]

On Tuesday 13 July 2004 10:55 pm, Dick St.Peters wrote:

> Antony Stone writes:
> > On Tuesday 13 July 2004 9:57 pm, Real Cucumber wrote:
> > > Why should ICMP not be completely blocked? The machine
> > > is used strictly as a port forwarding firewall/router.
> >
> > Because blocking all ICMP will break networking.   Look up the RFCs
> > explaining what ICMP is for if you do not understand this.
>
> I would like to second this vigorously, although I would phrase it
> differently: blocking ICMP makes networks fragile.  Fragile networks
> break easily when anything out of the ordinary happens.

Thank you.   That is a very good way of expressing it.

I said "blocking all ICMP will break networking".   That is not true... until 
something starts to go wrong.

Saying that "blocking ICMP makes networks fragile, and fragile networks break 
easily" is much better, I think.

Although it appears that this *may* not be the problem in this particular 
case, I think that anything in the mailing list archive which encourages 
people not to block ICMP without being aware of the likely consequences is a 
very good thing.

Regards,

Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                     Please reply to the list;
                                                           please don't CC me.

Re: SSH Connections Lost After 1 minute idle

[Real Cucumber]

Basically I've created a port forwarding firewall with
two network interfaces, that's sole purpose is to
forward incoming SSH packets on one interface (WAN)
through the other interface (LAN) to a local SSH
server.

I've done this using IPtables and the mangle table.

It works great, except for the fact that connections
are dropped if left idle for 1 minute.

I have tried allowing all ICMP for
INPUT,OUTPUT,FORWARD as well as creating static ARP
entries on the firewall, and nothing has helped.

If anyone knows what else may cause 1 minute idle
connection timeouts , please let me know.

This connection timeout issue does not occur for LAN
clients connecting to the SSH server. They can remain
idle for an indefinate period of time.




--- "Dick St.Peters" <stpeters@NetHeaven.com> wrote:
> Antony Stone writes:
> > On Tuesday 13 July 2004 9:57 pm, Real Cucumber
> wrote:
> > 
> > > Why should ICMP not be completely blocked? The
> machine
> > > is used strictly as a port forwarding
> firewall/router.
> > 
> > Because blocking all ICMP will break networking.  
> Look up the RFCs explaining 
> > what ICMP is for if you do not understand this.
> 
> I would like to second this vigorously, although I
> would phrase it
> differently: blocking ICMP makes networks fragile. 
> Fragile networks
> break easily when anything out of the ordinary
> happens.
> 
> --
> Dick St.Peters, stpeters@NetHeaven.com 
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

RE: SSH Connections Lost After 1 minute idle

[Hudson Delbert J Contr 61 CS/SCBN]

dick,

i beg to differ.

i must concur strongly with antony.

if you cripple icmp, your networks will break...


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Dick St.Peters
Sent: Tuesday, July 13, 2004 2:55 PM
To: netfilter@lists.netfilter.org
Subject: Re: SSH Connections Lost After 1 minute idle


Antony Stone writes:
> On Tuesday 13 July 2004 9:57 pm, Real Cucumber wrote:
> 
> > Why should ICMP not be completely blocked? The machine
> > is used strictly as a port forwarding firewall/router.
> 
> Because blocking all ICMP will break networking.   Look up the RFCs
explaining 
> what ICMP is for if you do not understand this.

I would like to second this vigorously, although I would phrase it
differently: blocking ICMP makes networks fragile.  Fragile networks
break easily when anything out of the ordinary happens.

--
Dick St.Peters, stpeters@NetHeaven.com 

Re: SSH Connections Lost After 1 minute idle

[Antony Stone]

On Tuesday 13 July 2004 11:25 pm, Real Cucumber wrote:

> Basically I've created a port forwarding firewall with
> two network interfaces, that's sole purpose is to
> forward incoming SSH packets on one interface (WAN)
> through the other interface (LAN) to a local SSH
> server.
>
> I've done this using IPtables and the mangle table.

Please explain how you have used the mangle table to achieve this.

The use of the mangle table is for a few fairly restricted and generally 
esoteric purposes, and I cannot see that your situation falls into these 
categories.

Regards,

Antony.

-- 
What makes you think I know what I'm talking about?
I just have more O'Reilly books than most people.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: SSH Connections Lost After 1 minute idle

[Real Cucumber]

I'm using it for port remapping/forwarding of inbound
tcp packets on port XXXX forwarded to internal server
and remapped to internal port XXXX as follows:

--------
iptables -t nat -A PREROUTING -p tcp --dport
$WAN_SSH_PORT -i $WAN_INTERFACE -j DNAT --to
$INTERNAL_SERVER_IP:$INTERNAL_SERVER_SSH_PORT
----------



--- Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Tuesday 13 July 2004 11:25 pm, Real Cucumber
> wrote:
> 
> > Basically I've created a port forwarding firewall
> with
> > two network interfaces, that's sole purpose is to
> > forward incoming SSH packets on one interface
> (WAN)
> > through the other interface (LAN) to a local SSH
> > server.
> >
> > I've done this using IPtables and the mangle
> table.
> 
> Please explain how you have used the mangle table to
> achieve this.
> 
> The use of the mangle table is for a few fairly
> restricted and generally 
> esoteric purposes, and I cannot see that your
> situation falls into these 
> categories.
> 
> Regards,
> 
> Antony.
> 
> -- 
> What makes you think I know what I'm talking about?
> I just have more O'Reilly books than most people.
> 
>                                                     
> Please reply to the list;
>                                                     
>       please don't CC me.
> 
> 
> 



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

Re: SSH Connections Lost After 1 minute idle

[Antony Stone]

On Tuesday 13 July 2004 11:28 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> dick,
>
> i beg to differ.
>
> i must concur strongly with antony.
>
> if you cripple icmp, your networks will break...

Maybe not immediately :)

Maybe only when something else start to go awry...?

Antony.

PS: Did you ever expand on your reasons for saying "do not i repeat...do not 
allow inbound ntp with a source port above the root ports"?   Several people 
here (including myself) were interested to know more about this...

-- 
Programming is a Dark Art, and it will always be. The programmer is
fighting against the two most destructive forces in the universe:
entropy and human stupidity. They're not things you can always
overcome with a "methodology" or on a schedule.

 - Damian Conway, Perl God

                                                     Please reply to the list;
                                                           please don't CC me.

Re: SSH Connections Lost After 1 minute idle

[Antony Stone]

On Tuesday 13 July 2004 11:48 pm, Real Cucumber wrote:

> > > I've done this using IPtables and the mangle table.
> >
> > Please explain how you have used the mangle table to
> > achieve this.

> --------
> iptables -t nat -A PREROUTING -p tcp --dport
> $WAN_SSH_PORT -i $WAN_INTERFACE -j DNAT --to
> $INTERNAL_SERVER_IP:$INTERNAL_SERVER_SSH_PORT
> ----------

Oh good - you mean the nat table, not the mangle table.

That makes good sense, then.

Regards,

Antony.

-- 
"I don't mind that he got rich, but I do mind that he peddles himself as the 
ultimate hacker and God's own gift to technology when his track record 
suggests that he wouldn't know a decent design idea or a well-written hunk of 
code if it bit him in the face. He's made his billions selling elaborately 
sugar-coated crap that runs like a pig on [sedatives], crashes at the drop of 
an electron, and has set the computing world back by at least a decade."

 - Eric S Raymond, about Bill Gates

                                                     Please reply to the list;
                                                           please don't CC me.

RE: SSH Connections Lost After 1 minute idle

[Jason Opperisano]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dunno if this is relevant--but I had similar symptoms SSH-ing to an OpenBSD
SSH server through IPTables on RH running through an OpenVPN tunnel
(RH/IPTables was the OVPN server)...  I didn't really spend the proper time
troubleshooting what was actually causing it--so this may not apply to your
situation at all... (enough disclaimers yet?)

What fixed it for me was setting the following in sshd_config of the SSH
server:

  ClientAliveInterval 10
  ClientAliveCountMax 6

Again--no idea if this is of any value to anyone...

- -j


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA9HBFqca8HlBdgZoRArZeAJ9rkciHNTmhDythmAkF9efUf2GC/ACeKys6
z3b6eXHHIcuFfkVQ50XI7ng=
=+8ya
-----END PGP SIGNATURE-----

-----Original Message-----
From: Real Cucumber [mailto:monkcucumber@yahoo.com] 
Sent: Tuesday, July 13, 2004 12:51 PM
To: netfilter@lists.netfilter.org
Subject: SSH Connections Lost After 1 minute idle


I have a fedora firewall/router using iptables to
forward incoming SSH packets to an internal server and
it works great....however, only if the user does not
remain idle for 1 minute.  If they idle for 1 minute,
the connection "freezes" in the sense that it drops
the connection but its not a proper "connectoin
closed" from the server as if it is a timelimit, but
rather just a connectoin loss like you've unplugged
your cable in the middle of a connection.

If the user is connecting from within the network,
they can remain idle for an unlimited amount of time
without being disconnected.  It is only ones
connecting from outside hte network going through the
iptables firewall that have this idle problem.

I am only allowing TCP and UDP for SSH to be
forwarded.

Do I need any ICMP or any other special connection
timeout rules on the iptables side to fix this
problem?

Any help appreciated!




	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

Re: SSH Connections Lost After 1 minute idle

[Real Cucumber]

The other thing I should mention is the WAN interface
is connected to a Linksys Router - so that could also
be the culprit...as I did find this thread (however
I'm not using VPN it sounds similair):

http://www.dslreports.com/forum/remark,10634772~mode=flat




--- Nick Taylor <nickt@lightlink.com> wrote:
> I'm sorry, I haven't followed the entirety of this
> thread, but my thoughts
> are as follows:
> 
> Sometimes (on a nat box), the connection tracking
> can't tell the
> difference between an "orphaned" connection (say the
> server crashed) and
> an idle connection, so after a certian period, it
> drops the connection out
> of its table, and of course, another packet that
> comes in later will get a
> connection reset, because it has forgotten.  It can
> also be that you
> overfill your connection table, and least used
> entries are removed (this
> should be a very large number though, so unless you
> have LOTS going
> through your firewall, this is not a big problem).
> 
> So, I would run the following:
> 
> tcpdump -n -i $client_ether host $client_host and \(
> port ssh  or icmp\)
> 
> just to see where and when a connection is actually
> getting broken, and
> which host it is that's doing it, and wether it's a
> connection reset, or
> an ICMP, or what...
> 
> 
> On Tue, 13 Jul 2004, Real Cucumber wrote:
> 
> > Date: Tue, 13 Jul 2004 15:25:09 -0700 (PDT)
> > From: Real Cucumber <monkcucumber@yahoo.com>
> > To: netfilter@lists.netfilter.org
> > Subject: Re: SSH Connections Lost After 1 minute
> idle
> >
> > Basically I've created a port forwarding firewall
> with
> > two network interfaces, that's sole purpose is to
> > forward incoming SSH packets on one interface
> (WAN)
> > through the other interface (LAN) to a local SSH
> > server.
> >
> > I've done this using IPtables and the mangle
> table.
> >
> > It works great, except for the fact that
> connections
> > are dropped if left idle for 1 minute.
> >
> > I have tried allowing all ICMP for
> > INPUT,OUTPUT,FORWARD as well as creating static
> ARP
> > entries on the firewall, and nothing has helped.
> >
> > If anyone knows what else may cause 1 minute idle
> > connection timeouts , please let me know.
> >
> > This connection timeout issue does not occur for
> LAN
> > clients connecting to the SSH server. They can
> remain
> > idle for an indefinate period of time.
> >
> >
> >
> >
> > --- "Dick St.Peters" <stpeters@NetHeaven.com>
> wrote:
> > > Antony Stone writes:
> > > > On Tuesday 13 July 2004 9:57 pm, Real Cucumber
> > > wrote:
> > > >
> > > > > Why should ICMP not be completely blocked?
> The
> > > machine
> > > > > is used strictly as a port forwarding
> > > firewall/router.
> > > >
> > > > Because blocking all ICMP will break
> networking.
> > > Look up the RFCs explaining
> > > > what ICMP is for if you do not understand
> this.
> > >
> > > I would like to second this vigorously, although
> I
> > > would phrase it
> > > differently: blocking ICMP makes networks
> fragile.
> > > Fragile networks
> > > break easily when anything out of the ordinary
> > > happens.
> > >
> > > --
> > > Dick St.Peters, stpeters@NetHeaven.com
> > >
> > >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail - 50x more storage than other
> providers!
> > http://promotions.yahoo.com/new_mail
> >
> 



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

Re: SSH Connections Lost After 1 minute idle

[Antony Stone]

Nick Taylor <nickt@lightlink.com> wrote:

> > I'm sorry, I haven't followed the entirety of this thread, but my thoughts
> > are as follows:
> >
> > Sometimes (on a nat box), the connection tracking can't tell the
> > difference between an "orphaned" connection (say the server crashed) and
> > an idle connection, so after a certian period, it drops the connection out
> > of its table, and of course, another packet that comes in later will get a
> > connection reset, because it has forgotten.

That's true, however, the timeout period on a TCP connection is 5 days (!), so 
I don't think it can be used to explain why a connection might be dropped 
after only a minute or so....

Antony.

-- 
RTFM may be the appropriate reply, but please specify exactly which FM to R.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: SSH Connections Lost After 1 minute idle

[George Alexandru Dragoi]

I had somehow a similar problem, but it didn't involved any tunnel,
the problem were some ESTABLISHED connections which remained hanged in
ip_conntrack for a long time (5 days is the default).
So I tryed to decrease the default.
I have these for sysctl:
net/ipv4/tcp_keepalive_time=300
this means the state of connection is rechecked after 300 seconds,
this usually means that the TTL from ip_conntrack will go to maximum
again (that 5 days thingy)
I also changed this:
net/ipv4/netfilter/ip_conntrack_tcp_timeout_established=400
this is what before was 5 days
You may want to check if somewhere between you and the other side has
some bad configurations, maybe changing tcp_keep_alive_time to
something much lower than 60, would help out (the kernel sends some
sort of packets for checking) but try to tune these on both sides, a
statefull firewall somewhere may forget the connections after 60
seconds, maybe an low ip_conntrack_tcp_timeout_established
I hope this may help you

> -----Original Message-----
> From: Real Cucumber [mailto:monkcucumber@yahoo.com]
> Sent: Tuesday, July 13, 2004 12:51 PM
> To: netfilter@lists.netfilter.org
> Subject: SSH Connections Lost After 1 minute idle
> 
> I have a fedora firewall/router using iptables to
> forward incoming SSH packets to an internal server and
> it works great....however, only if the user does not
> remain idle for 1 minute.  If they idle for 1 minute,
> the connection "freezes" in the sense that it drops
> the connection but its not a proper "connectoin
> closed" from the server as if it is a timelimit, but
> rather just a connectoin loss like you've unplugged
> your cable in the middle of a connection.
> 
> If the user is connecting from within the network,
> they can remain idle for an unlimited amount of time
> without being disconnected.  It is only ones
> connecting from outside hte network going through the
> iptables firewall that have this idle problem.
> 
> I am only allowing TCP and UDP for SSH to be
> forwarded.
> 
> Do I need any ICMP or any other special connection
> timeout rules on the iptables side to fix this
> problem?
> 
> Any help appreciated!
> 
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail
> 
>

Re: SSH Connections Lost After 1 minute idle

[Sheldon Hearn]

On Tue, 2004-07-13 at 18:51, Real Cucumber wrote:
> I have a fedora firewall/router using iptables to
> forward incoming SSH packets to an internal server and
> it works great....however, only if the user does not
> remain idle for 1 minute.

If you're going to use SSH through a stateful firewall, you should
disable out-of-band keep-alives and enable in-connection keep-alives.

I use this in sshd_config:

# In older versions of OpenSSH, it's KeepAlive, not TCPKeepAlive
TCPKeepAlive no
ClientAliveInterval 30
ClientAliveCountMax 120

See the sshd_config(5) manual page for implications.

Ciao,
Sheldon.

Re: SSH Connections Lost After 1 minute idle

[P]

Jason Opperisano wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dunno if this is relevant--but I had similar symptoms SSH-ing to an OpenBSD
> SSH server through IPTables on RH running through an OpenVPN tunnel
> (RH/IPTables was the OVPN server)...  I didn't really spend the proper time
> troubleshooting what was actually causing it--so this may not apply to your
> situation at all... (enough disclaimers yet?)
> 
> What fixed it for me was setting the following in sshd_config of the SSH
> server:
> 
>   ClientAliveInterval 10
>   ClientAliveCountMax 6
> 
> Again--no idea if this is of any value to anyone...

The corresponding settings for the client
(if you want to do it there instead) are:

serveraliveinterval 10
serveralivecountmax 6

client config is stored in ~/.ssh/config

Pádraig.