From: "Brian J. Murrell" <brian@interlinx.bc.ca>
To: netfilter@vger.kernel.org
Subject: Re: How to drop an idle connection with iptables?
Date: Thu, 24 Nov 2011 06:30:17 -0500 [thread overview]
Message-ID: <jal9sa$t42$1@dough.gmane.org> (raw)
In-Reply-To: <4ECE125F.8090101@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1040 bytes --]
On 11-11-24 04:46 AM, lu zhongda wrote:
> Hi Brian:
Hi Lu,
> At least, I hope iptables can confirm whether a connection is idle
> or not by its rules, this is the key point of my problem.
Perhaps there is a module which can do this but perhaps not because what
you are proposing will actually break protocols based on TCP.
> I have used conntrack of iptables, it seems not work.
iptables' conntrack works exactly as it should. When it sees a TCP
session go to ESTABLISHED (i.e. TCP 3-way handshake is completed) it
allows packets on that session and continues to do so until the session
is destroyed with FIN and/or RST packets.
To start dropping/rejecting packets before that TCP session is shutdown
will break the protocol that is running on the socket because it expects
the session to still be open.
You didn't answer my other question though, which is why do you think
you need to be dropping idle, yet still ESTABLISHED sessions (and
breaking higher level protocols when you do that)?
b.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
next prev parent reply other threads:[~2011-11-24 11:30 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-23 10:48 How to drop an idle connection with iptables? lu zhongda
2011-11-23 12:37 ` Brian J. Murrell
2011-11-24 9:46 ` lu zhongda
2011-11-24 11:30 ` Brian J. Murrell [this message]
2011-11-25 5:37 ` lu zhongda
2011-11-25 11:16 ` Brian J. Murrell
2011-11-25 13:45 ` lu zhongda
2011-11-25 14:20 ` Nikolay Kichukov
2011-11-26 11:32 ` lu zhongda
2011-12-01 10:22 ` Anatoly Muliarski
2011-12-01 10:39 ` Jan Engelhardt
2011-11-25 20:01 ` John Haxby
2011-11-26 11:30 ` lu zhongda
2011-11-25 1:14 ` Gao feng
2011-11-25 3:40 ` lu zhongda
2011-11-25 3:41 ` lu zhongda
2011-11-25 3:59 ` lu zhongda
2011-11-25 5:39 ` Gao feng
-- strict thread matches above, loose matches on Subject: below --
2011-11-22 12:22 陆仲达
2011-11-23 3:27 ` Lloyd Standish
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='jal9sa$t42$1@dough.gmane.org' \
--to=brian@interlinx.bc.ca \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).