I have a nat configuration with thousands of devices connected to it. The gateway has its own Internet provided by eth0, and devices on the LAN side connect to eth1 on the gateway.
I have the following setup with iptables:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
eth1 is configured as follows:
ip: 192.168.0.1 subnet: 255.255.0.0
Clients are assigned ips 192.168.0.2 - 192.168.255.254.
In / etc / sysctl.conf I have the following setting for ip_conntrack_tcp_timeout_established
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=1200
Due to the number of client devices connecting to this gateway, I cannot use the default 5-day timeout.
This seems to work well and has tested with over 10,000 client devices.
However, the problem that I see is that the tcp 1200 timeout set applies only to devices in the range from 192.168.0.2 to 192.168.0.255. All devices with ips in the range 192.168.1.x through 192.168.255.x still use the default timeout of 5 days.
This leads to too many "ESTABLISHED" connections in the / proc / net / ip _conntrack table, and they eventually populate, although they should be timings within 20 minutes, they show that they will timeout after 5 days.
Obviously, I do not have a parameter somewhere or something is incorrectly configured.
Any suggestions?
thanks