The other thing I should mention is the WAN interface is connected to a Linksys Router - so that could also be the culprit...as I did find this thread (however I'm not using VPN it sounds similair): http://www.dslreports.com/forum/remark,10634772~mode=flat --- Nick Taylor <nickt@xxxxxxxxxxxxx> wrote: > I'm sorry, I haven't followed the entirety of this > thread, but my thoughts > are as follows: > > Sometimes (on a nat box), the connection tracking > can't tell the > difference between an "orphaned" connection (say the > server crashed) and > an idle connection, so after a certian period, it > drops the connection out > of its table, and of course, another packet that > comes in later will get a > connection reset, because it has forgotten. It can > also be that you > overfill your connection table, and least used > entries are removed (this > should be a very large number though, so unless you > have LOTS going > through your firewall, this is not a big problem). > > So, I would run the following: > > tcpdump -n -i $client_ether host $client_host and \( > port ssh or icmp\) > > just to see where and when a connection is actually > getting broken, and > which host it is that's doing it, and wether it's a > connection reset, or > an ICMP, or what... > > > On Tue, 13 Jul 2004, Real Cucumber wrote: > > > Date: Tue, 13 Jul 2004 15:25:09 -0700 (PDT) > > From: Real Cucumber <monkcucumber@xxxxxxxxx> > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: Re: SSH Connections Lost After 1 minute > idle > > > > Basically I've created a port forwarding firewall > with > > two network interfaces, that's sole purpose is to > > forward incoming SSH packets on one interface > (WAN) > > through the other interface (LAN) to a local SSH > > server. > > > > I've done this using IPtables and the mangle > table. > > > > It works great, except for the fact that > connections > > are dropped if left idle for 1 minute. > > > > I have tried allowing all ICMP for > > INPUT,OUTPUT,FORWARD as well as creating static > ARP > > entries on the firewall, and nothing has helped. > > > > If anyone knows what else may cause 1 minute idle > > connection timeouts , please let me know. > > > > This connection timeout issue does not occur for > LAN > > clients connecting to the SSH server. They can > remain > > idle for an indefinate period of time. > > > > > > > > > > --- "Dick St.Peters" <stpeters@xxxxxxxxxxxxx> > wrote: > > > Antony Stone writes: > > > > On Tuesday 13 July 2004 9:57 pm, Real Cucumber > > > wrote: > > > > > > > > > Why should ICMP not be completely blocked? > The > > > machine > > > > > is used strictly as a port forwarding > > > firewall/router. > > > > > > > > Because blocking all ICMP will break > networking. > > > Look up the RFCs explaining > > > > what ICMP is for if you do not understand > this. > > > > > > I would like to second this vigorously, although > I > > > would phrase it > > > differently: blocking ICMP makes networks > fragile. > > > Fragile networks > > > break easily when anything out of the ordinary > > > happens. > > > > > > -- > > > Dick St.Peters, stpeters@xxxxxxxxxxxxx > > > > > > > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! Mail - 50x more storage than other > providers! > > http://promotions.yahoo.com/new_mail > > > __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
