Hi , As I cannot be sure of the reason you see this in your logs , but I will assume that this happened because your session was IDLE for longer then the TCP TIMEOUT for ESTABLISHED sessions You should be able to view the timeout ( in seconds ) with this command more /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established you can also see the live "counter" when using the conntrack command in the third collumn conntrack -L tcp 6 3590 ESTABLISHED src=192.168.1.20 dst=195.159.90.90 sport=54788 dport=6667 src=195.159.90.90 dst=84.210.182.142 sport=6667 dport=54788 [ASSURED] mark=0 use=1 Changing this value too I higher number can be done if the current number is to low , for instance with : echo "3600" > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established or adding to the file /etc/sysctl.conf net.netfilter.nf_conntrack_tcp_timeout_established = 3600 However many times setting up TCP KEEP-ALIVE is the best option , as then you do not need to keep all sessions active in conntrack just to keep some sessions active longer . With either changing the parametres in /proc/.... or /etc/sysctl.conf to: net.ipv4.tcp_keepalive_time = 900 net.ipv4.tcp_keepalive_intvl = 60 net.ipv4.tcp_keepalive_probes = 6 All values are just examples , so you might want others for your systems . Best regards André Paulsberg-Csibi Senior Network Engineer IBM Services AS Sensitivity: Internal -----Opprinnelig melding----- Fra: netfilter-owner@xxxxxxxxxxxxxxx <netfilter-owner@xxxxxxxxxxxxxxx> På vegne av Brian J. Murrell Sendt: torsdag 4. oktober 2018 15.48 Til: netfilter@xxxxxxxxxxxxxxx Emne: "straggler" packets being logged I'm noticing an increase in the following sort of packet drop logs from iptables: Sep 2 17:08:56 gw kernel: [28287.557719] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57081 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 Sep 2 17:08:56 gw kernel: [28287.804612] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57082 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 Sep 2 17:08:56 gw kernel: [28288.045603] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57083 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 Sep 2 17:08:57 gw kernel: [28288.532529] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57084 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 They are part of what should be a legitimate TCP session. Are they perhaps straggler packets that come in after the TCP session has been shut down and removed from the conntrack table? If so, is there any way to extend the timeout of removing the entry from the conntrack table so that these stragglers don't look like nefarious activity? Or are these something else I am not thinking of? Cheers, b.
