using conntrack to drop connections?

using conntrack to drop connections?

[Stéphane Charette]

I see conntrack examples where a device used to forward packets can
drop idle connections after a short time.  For example,
http://stackoverflow.com/questions/9322325/ip-conntrack-tcp-timeout-established-not-applied-to-entire-subnet

But can conntrack also be used on the end device, such as the server
in a normal TCP client/server scenario?

I'm looking at a customer issue that we suspect may be caused by an
aggressive customer firewall dropping TCP connections after a very
short idle time.  I was hoping to duplicate the customer scenario with
iptable rules to quickly drop "idle" TCP connections.  Can this be
done?

> uname -rvp
3.19.0-30-generic #34-Ubuntu SMP Fri Oct 2 22:08:41 UTC 2015 x86_64
> dpkg -l | grep conntr
ii  conntrack                       1:1.4.2-2ubuntu1   amd64   Program
to modify the conntrack tables
ii  libnetfilter-conntrack3:amd64   1.0.4-1            amd64
Netfilter netlink-conntrack library

TIA.

Stéphane

Re: using conntrack to drop connections?

[prmarino1]

Those kinds of aggressive drops usually due to improper tuning of the netfilters tcp settings in /etc/sysctl.conf

Specifically on firewalls the idle time out should ‎unfortunately be 201 minutes because the default tcp (idle) heartbeat interval is 200 minutes and the default idle timer is the same which equals a race condition.

The problem usually comes in where some one reduces the netfilters idle timeouts because they hit the conntrack limit (local not conntrackd). In more recent versions of the Linux kernel the conntrack max limit has gone way up for very good reasons ( simply the nuber of connections that are common now were incocivabe when the 2.4 kernel was released ) but most people don't know it because a lack of good uptodate documentation.

In an ideal world the default tcp idle heartbeat should be dropped to 1 minute‎ , because we aren't using early 80's hardware any more. But that would require an updated RFC and at minimum a decade for adoption and proliferation of those changes in operating systems.  

  Original Message  
From: Stéphane Charette
Sent: Tuesday, October 13, 2015 16:10
To: netfilter@vger.kernel.org
Subject: using conntrack to drop connections?

I see conntrack examples where a device used to forward packets can
drop idle connections after a short time. For example,
http://stackoverflow.com/questions/9322325/ip-conntrack-tcp-timeout-established-not-applied-to-entire-subnet

But can conntrack also be used on the end device, such as the server
in a normal TCP client/server scenario?

I'm looking at a customer issue that we suspect may be caused by an
aggressive customer firewall dropping TCP connections after a very
short idle time. I was hoping to duplicate the customer scenario with
iptable rules to quickly drop "idle" TCP connections. Can this be
done?

> uname -rvp
3.19.0-30-generic #34-Ubuntu SMP Fri Oct 2 22:08:41 UTC 2015 x86_64
> dpkg -l | grep conntr
ii conntrack 1:1.4.2-2ubuntu1 amd64 Program
to modify the conntrack tables
ii libnetfilter-conntrack3:amd64 1.0.4-1 amd64
Netfilter netlink-conntrack library

TIA.

Stéphane
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html