There is firewall between client and db server. Sometimes when there is not traffic to client the connection between client and server becomes idle and the firewall silently drops the connection. After this if client hangs if tries to communicate using same socket. A new connection would work.
Is there anyway to send RST packets to client when a connection is timed out instead of silently dropping the connections ?
To configure iptables to send TCP RST packets on timed-out connections, you need to follow these steps:
Install iptables: Ensure that iptables is installed on your system. Most Linux distributions come with it pre-installed.
Set Up iptables Rules: Use the following iptables rules to drop timed-out connections and send a TCP RST packet in response. The key idea is to use the REJECT target with the –reject-with tcp-reset option.
Here are the detailed steps:
Step 1: Drop Existing Timed-Out Connections
First, identify and drop existing connections that have timed out. This is done using the conntrack module to track the state of connections.
sh
Copy code
iptables -A INPUT -m conntrack –ctstate INVALID -j DROP
Step 2: Send TCP RST Packets for New Timed-Out Connections
To handle new connections that time out and send TCP RST packets, add the following rule:
sh
Copy code
iptables -A INPUT -p tcp –tcp-flags RST RST -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m state –state NEW,INVALID -j REJECT –reject-with tcp-reset
Step 3: Ensure Proper Order of Rules
Make sure that these rules are inserted in the correct order in your iptables ruleset to avoid conflicts with other rules. For example, ensure that these rules are not superseded by a broader ACCEPT rule.
Step 4: Save iptables Configuration
Save the iptables rules to ensure they persist across reboots. This can be done using the following command (the method may vary based on your Linux distribution):
For Debian/Ubuntu:
sh
Copy code
sudo sh -c “iptables-save > /etc/iptables/rules.v4”
For CentOS/RHEL:
sh
Copy code
sudo service iptables save
Step 5: Apply and Test the Configuration
Reload the iptables rules to apply the changes. You can do this by restarting the iptables service or manually applying the rules using iptables-restore.
sh
Copy code
sudo iptables-restore < /etc/iptables/rules.v4
Example Full iptables Script
Here’s a complete example script that you can run to configure iptables as described:
sh
Copy code
#!/bin/bash
Flush all current rules
iptables -F
Drop invalid packets
iptables -A INPUT -m conntrack –ctstate INVALID -j DROP
Send TCP RST for new timed-out connections
iptables -A INPUT -p tcp –tcp-flags RST RST -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m state –state NEW,INVALID -j REJECT –reject-with tcp-reset
Save the rules
iptables-save > /etc/iptables/rules.v4
Run this script as root or with sudo privileges to apply the changes.
References:
iptables man page
Netfilter/iptables project
This configuration helps to manage and clear out timed-out connections effectively, ensuring your server responds appropriately with TCP RST packets when needed.
Chyld Monitor is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.