Some further updates/optimizations to my original posting.  This version
handles all protocols now.  Anyone besides me think this is useful?

***

I use a fairly short 2 hour established timeout on firewalls I operate,
which works fine for most purposes.  Occasionally, however, it would
be nice to have a longer timeout for *certain* types of traffic
such as SSH or telnet sessions.  

So, below find a TIMEOUT target to enable such per-conntrack timeouts.
Syntax for SSH would be something like:

        iptables -A foo -p tcp --dport 22 -j TIMEOUT --timeout 123456
        iptables -A foo -p tcp --dport 22 -j ACCEPT

It could of course also be used to lower the timeouts on some traffic,
such as HTTP.

Phil