Re: How to drop an idle connection with iptables?

[lu zhongda <luzhongda@gmail.com>]

And the following document for conntrack-tool all talked about:
"established TCP connections can be cut or blocked by removed entrance 
in /proc/net/ip_conntrack"

http://conntrack-tools.netfilter.org/about.html
http://conntrack-tools.netfilter.org/manual.html

However I removed the entrance by timeout or manually by conntrack -D, 
none worked.

I am just wondering whether conntrack only works for tracing event, no 
functionality for filtering at all?


On 2011-11-25 11:41, lu zhongda wrote:
> Hi, Gao Feng:
>     First thanks for your response!
>     I set the two timeout to their corresponding value:
>     echo 60 > 
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
>     echo 0 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
>
>     The ESTABLISHED item for port 9999 was inserted after connection 
> created and removed after 60 seconds timeout.
>     Using tool conntrack supplied by iptables also proved this:
>
>     conntrack -E
>     [DESTROY] tcp      6 src=192.168.2.194 dst=192.168.2.166 
> sport=41570 dport=9999 packets=4 bytes=218 src=192.168.2.166 
> dst=192.168.2.194 sport=9999         dport=41570 packets=3 bytes=166
>
>     However netstat indicated that the physical connection was still 
> there and the communication between two endpoints was not blocked or 
> dropped.
>
>     netstat -an | grep 9999
>     tcp        0      0 192.168.2.166:9999          
> 192.168.2.194:41570         ESTABLISHED
>
>     The state related rule set in my configuration did not work at all:
>
>     -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
>     -A INPUT -p tcp -m state --state ESTABLISHED -j LOG --log-prefix 
> "conn established::"
>     -A INPUT -p tcp -m state --state INVALID -j DROP
>     -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
> --state NEW -j LOG --log-prefix "DROP invalid::"
>     -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
> --state NEW -j DROP
>
>     The communication was not affected by the rules and no log in 
> /var/log/iptables.log.
>     For an explanation, I redirected my Linux kernel log to 
> /var/log/iptables.log
>
>     However other rule in /etc/sysconfig/iptables did logged file, log 
> found in /var/log/iptables.log
>     -A INPUT -p tcp -m tcp --dport 9999 -j LOG --log-prefix "ACCEPT 
> 9999::"
>
>     I attached my iptables rule set for reference.
>     Hope you can give me another hint and related rule set.
>     Thanks for your support.
>
>
> On 2011-11-25 9:14, Gao feng wrote:
>> 于 2011年11月24日 17:46, lu zhongda 写道:
>>>      The timeout is defined in 
>>> //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/ 
>>> , which is defaulted to 5 days, I change it to a short value for 
>>> testing, such as 1 min.
>>>      the linux shell command is: echo "60">  
>>> //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/
>>>      The timeout for ESTABLISHED type item does works, and the item 
>>> is removed after timeout, however the connection is not blocked or 
>>> dropped at all.
>> Hi zhongda.
>>
>> How about echo 0>  /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
>>
>