Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.debian.org > debian-isp > 07 > 080197.html (Request Expert lists.debian.org Support)

Re: iptables conntrack: packets not matching a rule occasionally?

From: Marc Schiffbauer <marc(at)schiffbauer.net>
Date: Wed Aug 08 2007 - 06:03:12 EDT

  • Håkon Alstadheim schrieb am 07.08.07 um 23:21 Uhr: > Marc Schiffbauer wrote: > >* Héctor González schrieb am 01.08.07 um 16:49 Uhr: > > > >>You might try a rule to match "state INVALID", and see if it catches > >>them. It might be someone probing your firewall. > >> > > > >makes sense. The new rule matches those packets indeed. > > > >Seems like I did not pay enough attention to the TCP flags. > > > > > Conntrack has a timeout and a limit to the max number of connections it > can remember. I believe it can be adjusted with some setting in /proc or > somewhere. Check the documentation in /usr/src/linux/Documentation. > Anyway, really slow/long-lived web sessions might get caught as invalid > because of this.

Sorry I did not mention that I had a look at these values. I think the default values are ok for http traffic, right?

host:~# for f in /proc/sys/net/ipv4/netfilter/ip_conntrack_*; do > echo "$f: $(cat $f)"
> done
/proc/sys/net/ipv4/netfilter/ip_conntrack_buckets: 8192
/proc/sys/net/ipv4/netfilter/ip_conntrack_count: 712
/proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout: 600
/proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout: 30
/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid: 0
/proc/sys/net/ipv4/netfilter/ip_conntrack_max: 65536
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal: 0
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose: 3
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans: 3
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close: 10
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait: 60
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established: 432000
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait: 120
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack: 30
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans: 300
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv: 60
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent: 120
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait: 120
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout: 30
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream: 180
host:~#

-Marc 

-- 
8AAC 5F46 83B4 DB70 8317  3723 296C 6CCA 35A6 4134


-- 
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Received on Wed Aug 8 06:08:19 2007

This archive was generated by hypermail 2.1.8 : Thu Aug 09 2007 - 18:01:50 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library