On 11-11-24 04:46 AM, lu zhongda wrote: > Hi Brian: Hi Lu, > At least, I hope iptables can confirm whether a connection is idle > or not by its rules, this is the key point of my problem. Perhaps there is a module which can do this but perhaps not because what you are proposing will actually break protocols based on TCP. > I have used conntrack of iptables, it seems not work. iptables' conntrack works exactly as it should. When it sees a TCP session go to ESTABLISHED (i.e. TCP 3-way handshake is completed) it allows packets on that session and continues to do so until the session is destroyed with FIN and/or RST packets. To start dropping/rejecting packets before that TCP session is shutdown will break the protocol that is running on the socket because it expects the session to still be open. You didn't answer my other question though, which is why do you think you need to be dropping idle, yet still ESTABLISHED sessions (and breaking higher level protocols when you do that)? b.
Attachment:
signature.asc
Description: OpenPGP digital signature
