dropped connections from iptables

In December 2009, we upgraded the lab's connection to the outside world. We went from a crappy Netgear SOHO router to a cute little no-moving parts machine I made from a VIA mini-itx motherboard with two Gbps ethernet ports, and a compact flash drive enclosed in an M350 enclosure. It looks like this:



and lives under the floor tiles.

This machine runs Ubuntu Server 9.10 and acts as the labs NATing firewall. All this is done using an iptables script. This was a real upgrade, and network performance improved noticeably. Unfortunately, we would occasionally get dropped connections. This was most noticeable when logging in from outside using ssh where, after a few seconds the connection would get dropped with the error message connection reset by peer. It would also happen sometimes when downloading large files over HTTP.

After putting up with this for a few months, we spent an afternoon hunting it down. The problem seems to be traceable to a Cisco router in our university that does something it's not supposed to. In short, the Linux TCP/IP iptables/conntrack implementation adheres a little too strictly to standards and was closing a connection when the Cisco router sent it something not completely kosher. Since there was no hope of changing the way the Cisco router works, we found that this little gem takes care of the problem:

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

Voila. Problem solved.