Author: Dennis Leeuw dleeuw at made-it dot com
I ran into a little problem when migrating from an old Microsoft based firewall to a new iptables based linux firewall. The login onto our intranet was disconnected somewhere between 20 and 45 minutes. I didn't do exact tests. After that period users needed to do a login again. As you can imagine that was not acceptable for the users.
After some searching and reading I discovered that iptables removes entries from the MASQ (SNAT,DNAT?) tables after 30 minutes of inactivity.
With the old ipchains tool one could set the timers, but with iptables that is NOT possible. So I was left with two options:
The solution I used is to adjust the TCP keepalive settings. Default they are set to 7200 seconds (2 hours), by decreasing these within the 30 minutes range the connection is kept alive. To be save I set the value to 900 (15 minutes).
echo 900 > /proc/sys/net/ipv4/tcp_keepalive_time
Now the connection does not time out and the users are happy.