Hi, Gao Feng:
     First thanks for your response!
     I set the two timeout to their corresponding value:
     echo 60 > 
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
     echo 0 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose

     The ESTABLISHED item for port 9999 was inserted after connection 
created and removed after 60 seconds timeout.
     Using tool conntrack supplied by iptables also proved this:

     conntrack -E
     [DESTROY] tcp      6 src=192.168.2.194 dst=192.168.2.166 
sport=41570 dport=9999 packets=4 bytes=218 src=192.168.2.166 
dst=192.168.2.194 sport=9999         dport=41570 packets=3 bytes=166

     However netstat indicated that the physical connection was still 
there and the communication between two endpoints was not blocked or 
dropped.

     netstat -an | grep 9999
     tcp        0      0 192.168.2.166:9999          
192.168.2.194:41570         ESTABLISHED

     The state related rule set in my configuration did not work at all:

     -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
     -A INPUT -p tcp -m state --state ESTABLISHED -j LOG --log-prefix 
"conn established::"
     -A INPUT -p tcp -m state --state INVALID -j DROP
     -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
--state NEW -j LOG --log-prefix "DROP invalid::"
     -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
--state NEW -j DROP

     The communication was not affected by the rules and no log in 
/var/log/iptables.log.
     For an explanation, I redirected my Linux kernel log to 
/var/log/iptables.log

     However other rule in /etc/sysconfig/iptables did logged file, log 
found in /var/log/iptables.log
     -A INPUT -p tcp -m tcp --dport 9999 -j LOG --log-prefix "ACCEPT 
9999::"

     I attached my iptables rule set for reference.
     Hope you can give me another hint and related rule set.
     Thanks for your support.

On 2011-11-25 9:14, Gao feng wrote:
> 于 2011年11月24日 17:46, lu zhongda 写道:
>>      The timeout is defined in //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/ , which is defaulted to 5 days, I change it to a short value for testing, such as 1 min.
>>      the linux shell command is: echo "60">  //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/
>>      The timeout for ESTABLISHED type item does works, and the item is removed after timeout, however the connection is not blocked or dropped at all.
> Hi zhongda.
>
> How about echo 0>  /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
>