tcp timeouts and ip_conntrack

Discussion in 'Linux Networking' started by nsa.usa, Apr 9, 2007.

  1. nsa.usa

    nsa.usa Guest

    Hi,

    Can anyone tell me how I can lower the TCP timeout? I think its set to
    5 days right now which is rediculous and my ip_conntrack is filling up
    due to DoS attack. I increased the ip_conntrack_max, but I dont want
    to see 8000 dead connections tracked to the same ip-address for 5
    days....!
    What is a sensible value? my server is serving a few hundred clients
    behind NAT.
    It's running stock RH9 (and please don't tell me to just upgrade....
    that would be no help at all, thanks!).

    Regards,
    Tobias
     
    nsa.usa, Apr 9, 2007
    #1
    1. Advertisements

  2. Hello,

    a écrit :
    Check /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout*. In recent
    2.6 kernels these parameters may have moved to /proc/sys/net/netfilter/.
    You may also consider using the 'connlimit' match from a recent
    patch-o-matic-ng in order to limit the number of parallel TCP
    connections from a client IP address.
     
    Pascal Hambourg, Apr 9, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.