Hi,
I found some new info...
short description of problem : replaced SNAT-ing ipfilter (solaris) by an
SNAT-ing netfilter (linux) three days ago and since then people are
complaining that ssh-session that are left alone for a while tend to die.
MUST be a difference between ipfilter and netfilter.
NEW : ipfilter seems to be able to keep sessions alive. I have found some
info in a mailing list stating that keepalive must even best be off (!)
on the ssh server so that ipf apparently can keep the ssh-connecions open
itself.
Is it possible that netfilter does not/cannot do this? Can you tune
netfilter so that it keeps ssh sessions open? Am I correct in assuming
that ipfilter does this automatically?
Thanks
Jo
On Fri, 30 Jan 2004 19:32:32 +0200 jo@xxxxxxxxxx wrote:
> Hi, does anyone recognize the following problem :
>
> people here lose their ssh connections to a remote server over the
> internet if they leave their ssh open but inactive for like 30 minutes.
> This has happened since I replaced our gateway firewall ipfilter
> (solaris) by a netfilter(linux) exactly two days ago. So I am pretty sure
> it must be some setting in netfilter.
>
> I have become so desperate that I have cleared out the whole filter
> table, leaving only the SNAT in the nat table and some kernel tunings,
> but the problem persists. So it cannot be the --syn thing.
>
> The default timeouts make no sense either, I see correct values in
> /proc/net/ip_conntrack...
>
> /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c :
>
> static unsigned long tcp_timeouts[]
> = { 30 MINS, /* TCP_CONNTRACK_NONE, */
> 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
> 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
> 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
> 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
> 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
> 10 SECS, /* TCP_CONNTRACK_CLOSE, */
> 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
> 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
> 2 MINS, /* TCP_CONNTRACK_LISTEN, */
>
> The only time frame that comes close to the drop out time reported
> by the users is the NONE (???), since they are cut off appr. after
> 30 minutes of inactivity.
>
> The only 'special' thing is that I SNAT two different internal networks
> (10.xx.xx.xx and 172.17.xx.xx - on two internal nic's off
> course) to a fixed external ip with the following rule :
>
> iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
>
> Any ideas? Must have already happened ;-)
>
> Thanks for any ideas or hints on how I can trace this. By the way I am
> running the Red Hat 9 kernel without any updates.
>
> Jo
>
>
>
> NEOlabs - http://www.neolabs.be - mailto:info@xxxxxxxxxx
NEOlabs - http://www.neolabs.be - mailto:info@xxxxxxxxxx
