[ale] Iptables packet mangling
Transam@cavu.com
transam at cavu.com
Sat Jun 30 00:41:38 EDT 2001
Keep in mind a few things about IP Tables. First, under the 2.4.2 kernel
some modules needed for some mangling will not compile. The solution
is to get 2.4.4.
Second, I was asked to set the IP Masquerading under IP Tables (Linux
2.4.4 kernel) to specified values by a client. The way it was done
under IP Chains is not implemented.
After finding no help in the doc, web, or even ALE, I had a look at the
2.4.4 kernel source for the answer. The question is: Under IP Tables,
how does one change the IP Masquerading connection timeouts for the various
protocols. This was trivial under IP Chains and well documented.
The answer is screw off. They're hardwired into the kernel. These values
are:
ICMP 30 seconds
TCP 5 days (once a connection is established and before being
torn down)
UDP 3 minutes (once a reply packet is seen)
Generic 10 minutes (this might apply to AppleTalk & IPX)
If you want to change them cd to /usr/src/linux/net/ipv4/netfilter.
Edit ip_conntrack_proto_*.c and search for *_TIMEOUT. A value of
(600*HZ) is 600 seconds. For ip_conntrack_proto_tcp.c, search for
tcp_timeouts and edit as desired.
Bob Toxen
transam at cavu.com [Bob's ALE Bulk email]
bob at cavu.com
http://www.cavu.com
http://www.realworldlinuxsecurity.com/ [My book: "Real World Linux Security"]
Fly-By-Day Consulting, Inc. "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and software consulting since 1990.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list