iptables Connection Timeout

Author: Dennis Leeuw dleeuw at made-it dot com

The problem

I ran into a little problem when migrating from an old Microsoft based firewall to a new iptables based linux firewall. The login onto our intranet was disconnected somewhere between 20 and 45 minutes. I didn't do exact tests. After that period users needed to do a login again. As you can imagine that was not acceptable for the users.

The reason

After some searching and reading I discovered that iptables removes entries from the MASQ (SNAT,DNAT?) tables after 30 minutes of inactivity.

The solution

With the old ipchains tool one could set the timers, but with iptables that is NOT possible. So I was left with two options:

  1. Rebuild the module with adjusted timer settings
  2. Find a workaround within the TCP stack

The solution I used is to adjust the TCP keepalive settings. Default they are set to 7200 seconds (2 hours), by decreasing these within the 30 minutes range the connection is kept alive. To be save I set the value to 900 (15 minutes).

echo 900 > /proc/sys/net/ipv4/tcp_keepalive_time

Now the connection does not time out and the users are happy.