From: lu zhongda <luzhongda@gmail.com>
To: Gao feng <gaofeng@cn.fujitsu.com>
Cc: netfilter@vger.kernel.org, "Brian J. Murrell" <brian@interlinx.bc.ca>
Subject: Re: How to drop an idle connection with iptables?
Date: Fri, 25 Nov 2011 11:40:05 +0800 [thread overview]
Message-ID: <4ECF0E15.30300@gmail.com> (raw)
In-Reply-To: <4ECEEC11.5010701@cn.fujitsu.com>
[-- Attachment #1: Type: text/plain, Size: 2564 bytes --]
Hi, Gao Feng:
First thanks for your response!
I set the two timeout to their corresponding value:
echo 60 >
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 0 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
The ESTABLISHED item for port 9999 was inserted after connection
created and removed after 60 seconds timeout.
Using tool conntrack supplied by iptables also proved this:
conntrack -E
[DESTROY] tcp 6 src=192.168.2.194 dst=192.168.2.166
sport=41570 dport=9999 packets=4 bytes=218 src=192.168.2.166
dst=192.168.2.194 sport=9999 dport=41570 packets=3 bytes=166
However netstat indicated that the physical connection was still
there and the communication between two endpoints was not blocked or
dropped.
netstat -an | grep 9999
tcp 0 0 192.168.2.166:9999
192.168.2.194:41570 ESTABLISHED
The state related rule set in my configuration did not work at all:
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j LOG --log-prefix
"conn established::"
-A INPUT -p tcp -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j LOG --log-prefix "DROP invalid::"
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
The communication was not affected by the rules and no log in
/var/log/iptables.log.
For an explanation, I redirected my Linux kernel log to
/var/log/iptables.log
However other rule in /etc/sysconfig/iptables did logged file, log
found in /var/log/iptables.log
-A INPUT -p tcp -m tcp --dport 9999 -j LOG --log-prefix "ACCEPT
9999::"
I attached my iptables rule set for reference.
Hope you can give me another hint and related rule set.
Thanks for your support.
On 2011-11-25 9:14, Gao feng wrote:
> 于 2011年11月24日 17:46, lu zhongda 写道:
>> The timeout is defined in //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/ , which is defaulted to 5 days, I change it to a short value for testing, such as 1 min.
>> the linux shell command is: echo "60"> //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/
>> The timeout for ESTABLISHED type item does works, and the item is removed after timeout, however the connection is not blocked or dropped at all.
> Hi zhongda.
>
> How about echo 0> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
>
[-- Attachment #2: iptables --]
[-- Type: text/plain, Size: 1145 bytes --]
# Generated by iptables-save v1.3.5 on Thu Nov 24 15:19:59 2011
*filter
:INPUT DROP [200:29532]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9999 -j LOG --log-prefix "ACCEPT 9999::"
-A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j LOG --log-prefix "conn established::"
-A INPUT -p tcp -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "DROP invalid::"
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 9999 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j LOG --log-prefix "out conn established::"
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
COMMIT
# Completed on Thu Nov 24 15:19:59 2011
next prev parent reply other threads:[~2011-11-25 3:40 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-23 10:48 How to drop an idle connection with iptables? lu zhongda
2011-11-23 12:37 ` Brian J. Murrell
2011-11-24 9:46 ` lu zhongda
2011-11-24 11:30 ` Brian J. Murrell
2011-11-25 5:37 ` lu zhongda
2011-11-25 11:16 ` Brian J. Murrell
2011-11-25 13:45 ` lu zhongda
2011-11-25 14:20 ` Nikolay Kichukov
2011-11-26 11:32 ` lu zhongda
2011-12-01 10:22 ` Anatoly Muliarski
2011-12-01 10:39 ` Jan Engelhardt
2011-11-25 20:01 ` John Haxby
2011-11-26 11:30 ` lu zhongda
2011-11-25 1:14 ` Gao feng
2011-11-25 3:40 ` lu zhongda [this message]
2011-11-25 3:41 ` lu zhongda
2011-11-25 3:59 ` lu zhongda
2011-11-25 5:39 ` Gao feng
-- strict thread matches above, loose matches on Subject: below --
2011-11-22 12:22 陆仲达
2011-11-23 3:27 ` Lloyd Standish
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ECF0E15.30300@gmail.com \
--to=luzhongda@gmail.com \
--cc=brian@interlinx.bc.ca \
--cc=gaofeng@cn.fujitsu.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).