[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables conntrack: packets not matching a rule occasionally?

* Håkon Alstadheim schrieb am 07.08.07 um 23:21 Uhr:
> Marc Schiffbauer wrote:
> >* Héctor González schrieb am 01.08.07 um 16:49 Uhr:
> >  
> >>You might try a rule to match "state INVALID", and see if it catches
> >>them.  It might be someone probing your firewall.
> >>    
> >
> >makes sense. The new rule matches those packets indeed.
> >
> >Seems like I did not pay enough attention to the TCP flags.
> >
> >  
> Conntrack has a timeout and a limit to the max number of connections it 
> can remember. I believe it can be adjusted with some setting in /proc or 
> somewhere. Check the documentation in /usr/src/linux/Documentation. 
> Anyway, really slow/long-lived web sessions might get caught as invalid 
> because of this.

Sorry I did not mention that I had a look at these values. I think
the default values are ok for http traffic, right?

host:~# for f in /proc/sys/net/ipv4/netfilter/ip_conntrack_*; do
> echo "$f: $(cat $f)"
> done
/proc/sys/net/ipv4/netfilter/ip_conntrack_buckets: 8192
/proc/sys/net/ipv4/netfilter/ip_conntrack_count: 712
/proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout: 600
/proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout: 30
/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid: 0
/proc/sys/net/ipv4/netfilter/ip_conntrack_max: 65536
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal: 0
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose: 3
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans: 3
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close: 10
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait: 60
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established: 432000
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait: 120
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack: 30
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans: 300
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv: 60
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent: 120
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait: 120
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout: 30
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream: 180
host:~#

-Marc
-- 
8AAC 5F46 83B4 DB70 8317  3723 296C 6CCA 35A6 4134
Reply to: