Fixing dying ssh connections through iptables based firewalls

I recently came across a setup where my ssh connections were torn down when inactive. This is a great nuisance for a sysadmin. The reasons are quite well known. Out of the box, the Linux iptables code will tear down/close inactive TCP connections after 30 minutes of inactivity. The TCP implementation in the Linux kernel however, normally default to a TCP keep-alive timer of 120 minutes.

Thus the iptables code will take the ssh connection down one and a half hour before the TCP stack starts to try to keep the connection alive. Not very handy to say the least. To remedy the situation and keep your ssh sessions alive even though the are inactive, a possible solution could be to lower the Linux TCP keep-alive timer to ie 15 minutes. You would do that with

echo 900 > /proc/sys/net/ipv4/tcp_keepalive_time

All done. Not rocket science at all, just a little useful piece of information.

Leave a Reply

You must be logged in to post a comment.