[ale] IP Tables NAT timings: how?

[Transam@cavu.com]

> Stuffed Crust wrote:
> On Mon, Jun 25, 2001 at 01:18:42AM -0400, Transam at cavu.com wrote:
> > How does one set the timeouts for NAT activity under IP Tables
> > (Red Hat 7.1 Linux 2.4.2 kernel)?  I.e., how long before an inactive TCP
> > or inactive UDP NAT "connection" is forgotten?

> It never is, as far as I can tell.  iptables is stateful; every
> connection is kept track of until it is terminated.

Actually, there is a timeout.  Consider: if either or both of the two end
machines (client and server) running a TCP connection through IP Tables
doing NAT dies.  What is the Linux box to do?  Remember state forever
and run out of kernel memory as state for these dead TCP connections
accumulates?

If the keep alive feature (that sends a packet through periodically)
is not enabled, a telnet or SSH connection where neither the person or
the system sends data for a long time sends NO packets through the NAT.

> I'm sure tehre's some way of setting the UDP timeout though.

Ditto for UDP which, being connectionless, has no way to indicate that a
"connection" is done.


In any NAT there must be timeouts (except windows, which uses the
blue screen of death for this) to clean up these dead connections and UDP
packet exchanges.

In both IP Tables and IP Chains there are defaults.

I am hoping that someone knows how to change them in IP Tables.  I've looked
in all the doc and the net.  My next choice is looking at the kernel code
but I'd rather not take the time if someone knows the answer.

> it's probably an option in the ip_conntrack module.

How might I find out what option and how to use it?

>  - Pizza
> -- 
> Solomon Peachy                                    pizzaATfucktheusers.org
> I ain't broke, but I'm badly bent.                           ICQ# 1318344
> Patience comes to those who wait.
>     ...It's not "Beanbag Love", it's a "Transanimate Relationship"...

Thanks,
Bob
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.