[ale] Iptables packet mangling

Sun Jul 1 02:40:12 EDT 2001

On Sat, 30 Jun 2001 09:21:14, Stuffed Crust <pizza at shaftnet.org> wrote:
> On Sat, Jun 30, 2001 at 12:41:38AM -0400, Transam at cavu.com wrote:
> > After finding no help in the doc, web, or even ALE, I had a look at the
> > 2.4.4 kernel source for the answer.  The question is: Under IP Tables,
> > how does one change the IP Masquerading connection timeouts for the various
> > protocols.  This was trivial under IP Chains and well documented.
> > 
> > The answer is screw off.  They're hardwired into the kernel.  These values
> > are:

> In all fairness, IPTables doesn't need timeouts in the same sense as
> IPChains did -- iptables is completely stateful, whereas ipchains
> maintained almost no state at all.  without the timeouts in ipchains,
> connections would stay open indefinately, even if (for example) the tcp
> FIN sequence was completed.

Actually, that is only partially true for TCP.  If one of the machines goes
down, most SysAdmins do not want the connection to stay open for five days,
allowing some attacks and certainly wasting resources (ports and related
memory) and risking DoS attacks too.  It would have been trivial to add to
keep the interface that IP Chains used for setting this.

For UDP it is not true at all because UDP is stateless.  The default is
much too small for someone using NFS occasionally or for many other similar
applications.  (While using NFS over the Internet generally is a security
risk, someone might have firewalls between different protected subnets in
a company where this makes sense.  The poor design prevents tuning the
timeouts.)

> But thanks for getting an definitive answer out of this; I've been
> wondering how to change these timeouts too..

>  - Pizza
> -- 
> Solomon Peachy                                    pizzaATfucktheusers.org
> I ain't broke, but I'm badly bent.                           ICQ# 1318344
> Patience comes to those who wait.
>     ...It's not "Beanbag Love", it's a "Transanimate Relationship"...

Bob
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.