Hi, does anyone recognize the following problem :
people here lose their ssh connections to a remote server over the
internet if they leave their ssh open but inactive for like 30 minutes.
This has happened since I replaced our gateway firewall ipfilter
(solaris) by a netfilter(linux) exactly two days ago. So I am pretty sure
it must be some setting in netfilter.
I have become so desperate that I have cleared out the whole filter
table, leaving only the SNAT in the nat table and some kernel tunings,
but the problem persists. So it cannot be the --syn thing.
The default timeouts make no sense either, I see correct values in
/proc/net/ip_conntrack...
/usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c :
static unsigned long tcp_timeouts[]
= { 30 MINS, /* TCP_CONNTRACK_NONE, */
5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
10 SECS, /* TCP_CONNTRACK_CLOSE, */
60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
2 MINS, /* TCP_CONNTRACK_LISTEN, */
The only time frame that comes close to the drop out time reported
by the users is the NONE (???), since they are cut off appr. after
30 minutes of inactivity.
The only 'special' thing is that I SNAT two different internal networks
(10.xx.xx.xx and 172.17.xx.xx - on two internal nic's off
course) to a fixed external ip with the following rule :
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
Any ideas? Must have already happened ;-)
Thanks for any ideas or hints on how I can trace this. By the way I am
running the Red Hat 9 kernel without any updates.
Jo
NEOlabs - http://www.neolabs.be - mailto:info@xxxxxxxxxx
