tcp timeouts and ip_conntrack

Hi,

Can anyone tell me how I can lower the TCP timeout? I think its set to
5 days right now which is rediculous and my ip_conntrack is filling up
due to DoS attack. I increased the ip_conntrack_max, but I dont want
to see 8000 dead connections tracked to the same ip-address for 5
days....!
What is a sensible value? my server is serving a few hundred clients
behind NAT.
It's running stock RH9 (and please don't tell me to just upgrade....
that would be no help at all, thanks!).

Regards,
Tobias

Hello,

(E-Mail Removed) a écrit :
>
> Can anyone tell me how I can lower the TCP timeout? I think its set to
> 5 days right now which is rediculous and my ip_conntrack is filling up
> due to DoS attack.

Check /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout*. In recent
2.6 kernels these parameters may have moved to /proc/sys/net/netfilter/.

> I increased the ip_conntrack_max, but I dont want
> to see 8000 dead connections tracked to the same ip-address for 5
> days....!

You may also consider using the 'connlimit' match from a recent
patch-o-matic-ng in order to limit the number of parallel TCP
connections from a client IP address.