Re: How to drop an idle connection with iptables?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, Gao Feng:
    First thanks for your response!
    I set the two timeout to their corresponding value:
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established 
    echo 0 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
The ESTABLISHED item for port 9999 was inserted after connection created and removed after 60 seconds timeout. 
    Using tool conntrack supplied by iptables also proved this:

    conntrack -E
[DESTROY] tcp 6 src=192.168.2.194 dst=192.168.2.166 sport=41570 dport=9999 packets=4 bytes=218 src=192.168.2.166 dst=192.168.2.194 sport=9999 dport=41570 packets=3 bytes=166
However netstat indicated that the physical connection was still there and the communication between two endpoints was not blocked or dropped. 

    netstat -an | grep 9999
tcp 0 0 192.168.2.166:9999 192.168.2.194:41570 ESTABLISHED 

    The state related rule set in my configuration did not work at all:

    -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j LOG --log-prefix "conn established::" 
    -A INPUT -p tcp -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "DROP invalid::" -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
The communication was not affected by the rules and no log in /var/log/iptables.log. For an explanation, I redirected my Linux kernel log to /var/log/iptables.log
However other rule in /etc/sysconfig/iptables did logged file, log found in /var/log/iptables.log -A INPUT -p tcp -m tcp --dport 9999 -j LOG --log-prefix "ACCEPT 9999::" 

    I attached my iptables rule set for reference.
    Hope you can give me another hint and related rule set.
    Thanks for your support.

On 2011-11-25 9:14, Gao feng wrote:

于 2011年11月24日 17:46, lu zhongda 写道:

     The timeout is defined in //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/ , which is defaulted to 5 days, I change it to a short value for testing, such as 1 min.
     the linux shell command is: echo "60">  //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/
     The timeout for ESTABLISHED type item does works, and the item is removed after timeout, however the connection is not blocked or dropped at all.

Hi zhongda.

How about echo 0>  /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose




# Generated by iptables-save v1.3.5 on Thu Nov 24 15:19:59 2011
*filter
:INPUT DROP [200:29532]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 9999 -j LOG --log-prefix "ACCEPT 9999::" 
-A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT 
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m state --state ESTABLISHED -j LOG --log-prefix "conn established::" 
-A INPUT -p tcp -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "DROP invalid::" 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 

-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 9999 -j ACCEPT 
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j LOG --log-prefix "out conn established::" 
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
COMMIT
# Completed on Thu Nov 24 15:19:59 2011
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux