ip_conntrack_tcp_timeout_established not applied to entire subnet

timeout iptables nat gateway subnet
11,643

As @StephenHankinson mentions, existing connections (cf. conntrack -L) at the time of changing the sysctl variable do not have their timeout reset. This should normally be not a problem, as these connections will eventually end, but NFCT can be forced to forget all CTs using conntrack -F. Note however that this might kill existing connections if your ruleset does not permit “NEW” connections not beginning with TCP SYN.

Share:
11,643
Stephen Hankinson
Author by

Stephen Hankinson

Updated on June 07, 2022

Comments

  • Stephen Hankinson
    Stephen Hankinson almost 2 years

    I've got a nat setup with thousands of devices connected to it. The gateway has its internet provided by eth0 and the devices on the LAN side connect to eth1 on the gateway.

    I have the following setup with iptables:

    /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

    eth1 is configured as follows:

        ip: 192.168.0.1
subnet: 255.255.0.0

    Clients are assigned the ips 192.168.0.2 through 192.168.255.254.

    In /etc/sysctl.conf I have the following setup for ip_conntrack_tcp_timeout_established 

    net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=1200

    Because of the number of client devices that connect to this gateway I can't use the default 5 day timeout.

    This seems to work well and have tested the setup with over 10000 client devices.

    However, the issue I am seeing is that the tcp established timeout of 1200 is only being applied to devices in the ip range of 192.168.0.2 through 192.168.0.255. All devices with ips in the 192.168.1.x through 192.168.255.x range are still using the 5 day default timeout.

    This is leaving way too many "ESTABLISHED" connections in the /proc/net/ip_conntrack table and it eventually fills up, even though they should be timing out within 20 minutes, they are showing that they will timeout in 5 days.

    Obviously I am missing a setting somewhere or have something configured incorrectly.

    Any suggestions?

    Thanks

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Filtering incoming Strongswan VPN packets with iptables
ubuntu iptables NAT & Router & Port Forwarding
How can we make our ubuntu server router as gateway mode to router mode?
Linux as router with multiple internet providers
NAT using iptables on Ubuntu 16.04 doesn't work
What's the difference between PREROUTING and FORWARD in iptables?
Unable to get NAT working via iptables PREROUTING chain
Connecting 2 different subnet masks
Forwarding all incoming traffic on eth0 to go to eth1
iptables trouble: nat with ip alias (virtual interface) not working