iptables - dropping specific established connections after X hours

Asked Oct 24 '14 at 10:38

Active Oct 24 '14 at 11:08

Viewed 944 times

Is there a way with iptables to drop specific established connections after X hours?

We have an application with limited connection support, and occasionally we see some tcp sessions that shouldn't be established for longer than a few seconds, usually hanging around indefinitely when it happens (perhaps some odd network issue). This causes the app to block future requests :(

Since the box is doing port forwarding to the remote application, I figured I could just get iptables to drop these bad sessions, but I can't seem to find a way of doing that for a specific host/port combo (rather than the global conntrack timeout which would affect other things).

edited Oct 24 '14 at 11:08

asked Oct 24 '14 at 10:38

AndyC

1

How do you define "that aren't needed"? iptables cannot make this distinction. – RedShift Oct 24 '14 at 10:42
A host/port combo that has been established for X hours. – AndyC Oct 24 '14 at 11:06
@AndyC This is something you should implement on the app side rather than trying other unsuitable ways. – Xavier Lucas Oct 24 '14 at 13:57
@XavierLucas yes I agree, if it was possible to do so, but it is not unfortunately. – AndyC Oct 24 '14 at 14:54
@AndyC Then you just can't do that at all. – Xavier Lucas Oct 24 '14 at 14:55

iptables - dropping specific established connections after X hours

0 Answers0

Linked