Hi, Gao Feng:
First thanks for your response!
I set the two timeout to their corresponding value:
echo 60 >
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 0 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
The ESTABLISHED item for port 9999 was inserted after connection
created and removed after 60 seconds timeout.
Using tool conntrack supplied by iptables also proved this:
conntrack -E
[DESTROY] tcp 6 src=192.168.2.194 dst=192.168.2.166
sport=41570 dport=9999 packets=4 bytes=218 src=192.168.2.166
dst=192.168.2.194 sport=9999 dport=41570 packets=3 bytes=166
However netstat indicated that the physical connection was still
there and the communication between two endpoints was not blocked or
dropped.
netstat -an | grep 9999
tcp 0 0 192.168.2.166:9999
192.168.2.194:41570 ESTABLISHED
The state related rule set in my configuration did not work at all:
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j LOG --log-prefix
"conn established::"
-A INPUT -p tcp -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j LOG --log-prefix "DROP invalid::"
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
The communication was not affected by the rules and no log in
/var/log/iptables.log.
For an explanation, I redirected my Linux kernel log to
/var/log/iptables.log
However other rule in /etc/sysconfig/iptables did logged file, log
found in /var/log/iptables.log
-A INPUT -p tcp -m tcp --dport 9999 -j LOG --log-prefix "ACCEPT
9999::"
I attached my iptables rule set for reference.
Hope you can give me another hint and related rule set.
Thanks for your support.
On 2011-11-25 9:14, Gao feng wrote:
于 2011年11月24日 17:46, lu zhongda 写道:
The timeout is defined in //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/ , which is defaulted to 5 days, I change it to a short value for testing, such as 1 min.
the linux shell command is: echo "60"> //proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/
The timeout for ESTABLISHED type item does works, and the item is removed after timeout, however the connection is not blocked or dropped at all.
Hi zhongda.
How about echo 0> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
# Generated by iptables-save v1.3.5 on Thu Nov 24 15:19:59 2011
*filter
:INPUT DROP [200:29532]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9999 -j LOG --log-prefix "ACCEPT 9999::"
-A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j LOG --log-prefix "conn established::"
-A INPUT -p tcp -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "DROP invalid::"
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 9999 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j LOG --log-prefix "out conn established::"
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
COMMIT
# Completed on Thu Nov 24 15:19:59 2011
