Problems getting NOTRACK to do anything at all

Problems getting NOTRACK to do anything at all

[Marcel Laverdet]

For some reason I can't seem to get the NOTRACK iptables rule to do

anything at all. Can anyone make sense of the following session which I

think describes the problem better than words could. The session below was

carried out on a reasonably busy server, and I didn't waste much time in

between each command.





fantasma marcel # iptables-save

# Generated by iptables-save v1.4.2 on Fri Oct  2 07:28:30 2009

*filter

:INPUT ACCEPT [3195003:612499850]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [2555099:4249706524]

COMMIT

# Completed on Fri Oct  2 07:28:30 2009

# Generated by iptables-save v1.4.2 on Fri Oct  2 07:28:30 2009

*raw

:PREROUTING ACCEPT [3604504:692724983]

:OUTPUT ACCEPT [2885938:4764142471]

COMMIT

# Completed on Fri Oct  2 07:28:30 2009



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

grep: /proc/net/ip_conntrack: No such file or directory

      0       0       0



fantasma marcel # iptables -t raw -A PREROUTING -i lo -j NOTRACK



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

grep: /proc/net/ip_conntrack: No such file or directory

      0       0       0



fantasma marcel # modprobe nf_conntrack_ipv4



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

     74    1405   14295



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

    178    3381   34425



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | tail

tcp      6 114 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44537

dport=11211 packets=9 bytes=1164 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44537 packets=8 bytes=948 [ASSURED] mark=0 use=1

tcp      6 113 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44462

dport=11211 packets=11 bytes=2003 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44462 packets=10 bytes=1936 [ASSURED] mark=0 use=1

tcp      6 117 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44742

dport=11211 packets=8 bytes=477 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44742 packets=7 bytes=1535 [ASSURED] mark=0 use=1

tcp      6 115 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44621

dport=11211 packets=9 bytes=837 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44621 packets=8 bytes=621 [ASSURED] mark=0 use=1

tcp      6 119 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44851

dport=11211 packets=8 bytes=477 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44851 packets=7 bytes=1535 [ASSURED] mark=0 use=1

tcp      6 115 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44599

dport=11211 packets=9 bytes=837 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44599 packets=8 bytes=621 [ASSURED] mark=0 use=1

tcp      6 117 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44714

dport=11211 packets=13 bytes=849 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44714 packets=12 bytes=5310 [ASSURED] mark=0 use=1

tcp      6 113 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44501

dport=11211 packets=12 bytes=5103 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44501 packets=12 bytes=39594 [ASSURED] mark=0 use=1

tcp      6 119 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44865

dport=11211 packets=8 bytes=477 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44865 packets=7 bytes=1535 [ASSURED] mark=0 use=1

tcp      6 113 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44479

dport=11211 packets=9 bytes=1193 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44479 packets=8 bytes=977 [ASSURED] mark=0 use=1



fantasma marcel # iptables -t raw -A PREROUTING -s 127.0.0.1 -j NOTRACK



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

   1698   32261  327594



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

   1733   32926  334299



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

   1782   33852  343672





As you can see I've tried NOTRACK'ing both lo and 127.0.0.1 and the rules

just seem to be NOOP's.



Any help would be appreciated. Thanks.

Re: Problems getting NOTRACK to do anything at all

[Pascal Hambourg]

Hello,

Marcel Laverdet a écrit :
> 
> For some reason I can't seem to get the NOTRACK iptables rule to do
> anything at all. Can anyone make sense of the following session which I
> think describes the problem better than words could. The session below was
> carried out on a reasonably busy server, and I didn't waste much time in
> between each command.
[...]
> fantasma marcel # iptables -t raw -A PREROUTING -i lo -j NOTRACK

I guess the raw/PREROUTING chain is too late for local traffic. Locally
generated packets are processed by conntrack in the NF_IP_LOCAL_OUT hook
unless the NOTRACK target was used in the raw/OUTPUT chain.

Try this instead :
iptables -t raw -A OUTPUT -o lo -j NOTRACK

Re: Problems getting NOTRACK to do anything at all

[Marcel Laverdet]

Yes, that was it! This was also the hint I needed to get some more complex
rules setup and now everything is working just the way I want.

Merci!

On Fri, 02 Oct 2009 15:49:43 +0200, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
> 
> Marcel Laverdet a écrit :
>> 
>> For some reason I can't seem to get the NOTRACK iptables rule to do
>> anything at all. Can anyone make sense of the following session which I
>> think describes the problem better than words could. The session below
>> was
>> carried out on a reasonably busy server, and I didn't waste much time
in
>> between each command.
> [...]
>> fantasma marcel # iptables -t raw -A PREROUTING -i lo -j NOTRACK
> 
> I guess the raw/PREROUTING chain is too late for local traffic. Locally
> generated packets are processed by conntrack in the NF_IP_LOCAL_OUT hook
> unless the NOTRACK target was used in the raw/OUTPUT chain.
> 
> Try this instead :
> iptables -t raw -A OUTPUT -o lo -j NOTRACK