Re: How to drop an idle connection with iptables?
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Hi Brian: See my comments. On 2011-11-24 19:30, Brian J. Murrell wrote:
On 11-11-24 04:46 AM, lu zhongda wrote:Hi Brian:Hi Lu,At least, I hope iptables can confirm whether a connection is idle or not by its rules, this is the key point of my problem.Perhaps there is a module which can do this but perhaps not because what you are proposing will actually break protocols based on TCP.
I have used conntrack of iptables, it seems not work.iptables' conntrack works exactly as it should. When it sees a TCP session go to ESTABLISHED (i.e. TCP 3-way handshake is completed) it allows packets on that session and continues to do so until the session is destroyed with FIN and/or RST packets. To start dropping/rejecting packets before that TCP session is shutdown will break the protocol that is running on the socket because it expects the session to still be open. You didn't answer my other question though, which is why do you think you need to be dropping idle, yet still ESTABLISHED sessions (and breaking higher level protocols when you do that)?
The need to drop idle connection comes from one technical support request:I need to confirm whether iptables can drop idle connection just like some other commercial products can do. I need to confirm whether iptables can do it， if it can ,what is the rule set.
If not then that is. I have no strong appeal that it can do it. Thanks for your feedback.
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html