SV: "straggler" packets being logged

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi ,

As I cannot be sure of the reason you see this in your logs , but I will assume that this happened because your session was IDLE for longer then the TCP TIMEOUT for ESTABLISHED sessions

You should be able to view the timeout ( in seconds ) with this command
more /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established

you can also see the live "counter" when using the conntrack command in the third collumn 
conntrack -L 
tcp      6 3590 ESTABLISHED src=192.168.1.20 dst=195.159.90.90 sport=54788 dport=6667 src=195.159.90.90 dst=84.210.182.142 sport=6667 dport=54788 [ASSURED] mark=0 use=1

Changing this value too I higher number can be done if the current number is to low , for instance with :
echo "3600" > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established

or adding to the file /etc/sysctl.conf
net.netfilter.nf_conntrack_tcp_timeout_established = 3600

However many times setting up TCP KEEP-ALIVE is the best option , as then you do not need to keep all sessions active in conntrack just to keep some sessions active longer .

With either changing the parametres in /proc/.... or /etc/sysctl.conf to:
net.ipv4.tcp_keepalive_time = 900
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 6

All values are just examples , so you might want others for your systems .


Best regards
André Paulsberg-Csibi
Senior Network Engineer 
IBM Services AS


Sensitivity: Internal

-----Opprinnelig melding-----
Fra: netfilter-owner@xxxxxxxxxxxxxxx <netfilter-owner@xxxxxxxxxxxxxxx> På vegne av Brian J. Murrell
Sendt: torsdag 4. oktober 2018 15.48
Til: netfilter@xxxxxxxxxxxxxxx
Emne: "straggler" packets being logged

I'm noticing an increase in the following sort of packet drop logs from
iptables:

Sep  2 17:08:56 gw kernel: [28287.557719] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57081 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 
Sep  2 17:08:56 gw kernel: [28287.804612] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57082 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 
Sep  2 17:08:56 gw kernel: [28288.045603] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57083 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 
Sep  2 17:08:57 gw kernel: [28288.532529] Shorewall:net2fw:DROP:IN=eth0.2 OUT= SRC=4.24.10.6 DST=7.1.2.1 LEN=102 TOS=0x00 PREC=0x00 TTL=237 ID=57084 DF PROTO=TCP SPT=6667 DPT=51394 WINDOW=110 RES=0x00 ACK PSH URGP=0 MARK=0x100 

They are part of what should be a legitimate TCP session.  Are they
perhaps straggler packets that come in after the TCP session has been
shut down and removed from the conntrack table?  If so, is there any
way to extend the timeout of removing the entry from the conntrack
table so that these stragglers don't look like nefarious activity?

Or are these something else I am not thinking of?

Cheers,
b.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux