How long do Nat mappings live for?

I wonder, how long would that table typically last?

These seem to be controlled by the following sysctl keys. Attaching as an example what I have on a machine of mine (never adjusted them, should be the defaults).

> sysctl -a 2>/dev/null | grep ip_conntrack_.*timeout
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent2 = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180

So for example if I have a protocol that irregularly sends data either way, is there a risk the mapping has gone and the other side sees the connection as closed (gets no Ack)?

Seems like the timeout for established TCP connections is 5 days (432000 seconds). I guess you'll be fine, unless you are using a UDP based protocol.

In Linux, is there a way to see this table?

Yes. Either in /proc/net/nf_conntrack (third column) or using conntrack -L.

Additional resources:

Iptables Tutorial by Oskar Andreasson (mirror)

How long do Nat mappings live for?

Additional resources:

Related

Recent Posts