Those kinds of aggressive drops usually due to improper tuning of the netfilters tcp settings in /etc/sysctl.conf Specifically on firewalls the idle time out should unfortunately be 201 minutes because the default tcp (idle) heartbeat interval is 200 minutes and the default idle timer is the same which equals a race condition. The problem usually comes in where some one reduces the netfilters idle timeouts because they hit the conntrack limit (local not conntrackd). In more recent versions of the Linux kernel the conntrack max limit has gone way up for very good reasons ( simply the nuber of connections that are common now were incocivabe when the 2.4 kernel was released ) but most people don't know it because a lack of good uptodate documentation. In an ideal world the default tcp idle heartbeat should be dropped to 1 minute , because we aren't using early 80's hardware any more. But that would require an updated RFC and at minimum a decade for adoption and proliferation of those changes in operating systems. Original Message From: Stéphane Charette Sent: Tuesday, October 13, 2015 16:10 To: netfilter@xxxxxxxxxxxxxxx Subject: using conntrack to drop connections? I see conntrack examples where a device used to forward packets can drop idle connections after a short time. For example, http://stackoverflow.com/questions/9322325/ip-conntrack-tcp-timeout-established-not-applied-to-entire-subnet But can conntrack also be used on the end device, such as the server in a normal TCP client/server scenario? I'm looking at a customer issue that we suspect may be caused by an aggressive customer firewall dropping TCP connections after a very short idle time. I was hoping to duplicate the customer scenario with iptable rules to quickly drop "idle" TCP connections. Can this be done? > uname -rvp 3.19.0-30-generic #34-Ubuntu SMP Fri Oct 2 22:08:41 UTC 2015 x86_64 > dpkg -l | grep conntr ii conntrack 1:1.4.2-2ubuntu1 amd64 Program to modify the conntrack tables ii libnetfilter-conntrack3:amd64 1.0.4-1 amd64 Netfilter netlink-conntrack library TIA. Stéphane -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
