Getting rid of the masses of ip_conntrack messages

Getting rid of the masses of ip_conntrack messages

[Othmar Pasteka]

Hello,

I get quite many "ip_conntrack: max number of expected connections 1
of ftp reached for 1.2.3.4->4.3.2.1, reusing" messages. How can I
configure netfilter that he doesn'T show such messages at all?
I am not interested in it and actually don't need/care about
them.
So far i googled a bit but just found that someone else had that
as well, but didn't find an answer :(. Answers are greatly
appreciated.

iptables: 1.2.6a
kernel: 2.4.20

anything else what's needed?

TIA
Othmar

Getting rid of the masses of ip_conntrack messages

[hard__ware]

Please try to give a more detailed info on your setup

like Rules ect . Because i use DNAT / SNAT / with FTP
and  ip_conntrack_ftp & ip_nat_ftp  allot with IPTables
and have never found / seen those messages ? 

maybee thats cuz i dont log much anymore ..

i just drop / reject a Shitload  .. .lol 

let me know how ya go ... 

cyas,
 
Hard__warE

Re: Getting rid of the masses of ip_conntrack messages

[Othmar Pasteka]

hi,

[Btw. what about getting a proper E-Mail client, who does things
like adding a Re: to the subject line and replying to the email
and keep the thread instead of posting a completely new message.]

On Mon, Dec 02, 2002 at 05:07:27AM +1000, hard__ware wrote:
> Please try to give a more detailed info on your setup
> like Rules ect . Because i use DNAT / SNAT / with FTP
> and  ip_conntrack_ftp & ip_nat_ftp  allot with IPTables
> and have never found / seen those messages ? 

ftp server which permits ftp connections from the outside. that's
basically it.
I don't have a log target or sucha thing. it originates from the kernel
but couldn'T find a way yet, like through syslog, to disable it or
log it seperately.
my rule sets look as follows:

:INPUT DROP [1732:89835]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
[0:0] -A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT 
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
[3016:4082458] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
[138:12024] -A INPUT -i lo -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
[136:12210] -A INPUT -p icmp -j ACCEPT 
[810:43752] -A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT 
[12:720] -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT 
[0:0] -A INPUT -p udp -m udp --dport 873 -j ACCEPT 
[0:0] -A INPUT -s 62.116.33.11 -p tcp -m tcp --dport 111 -j ACCEPT 
[0:0] -A INPUT -s 62.116.33.11 -p udp -m udp --dport 111 -j ACCEPT 
[2753:169858] -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
[0:0] -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 


so long
Othmar

RE: Getting rid of the masses of ip_conntrack messages

[Rob Sterenborg]

> So far i googled a bit but just found that someone else had that
> as well, but didn't find an answer :(. Answers are greatly
> appreciated.

Found with google, from :
http://lists.netfilter.org/pipermail/netfilter-devel/2002-March/007320
.html

----
Such message may appear when the FTP client requests a new data
channel without opening the previously requested one.

There is one case, when it happens quite naturally: client sends an
active FTP request, but the server refuses it. Then the client reverts
to passive FTP and repeats the data channel request.

A tcpdump of the FTP command session could help to find out where's
the problem.
----

Did you also find the above explanation ?
It might be the reason you're seeing those messages in your log.


Rob

Re: Getting rid of the masses of ip_conntrack messages

[Othmar Pasteka]

Hi,

On Sun, Dec 01, 2002 at 09:33:46PM +0100, Rob Sterenborg wrote:
> > So far i googled a bit but just found that someone else had that
> > as well, but didn't find an answer :(. Answers are greatly
> > appreciated.
> Found with google, from :
> http://lists.netfilter.org/pipermail/netfilter-devel/2002-March/007320
> .html

Yes, maybe I didn't make myself clear, but here again, how can I
suppress such messages?

so long
Othmar

Getting rid of the masses of ip_conntrack messages

[hard__ware]

I will get a new email / domain when i can afford it ..

anyway...

Ok now you have me sort of confused i thought you had
a Nefilter Gateway ? or maybee you do ? .


So all you really want is a Linux / GNU box setup as a FTP Server for the
Inetrnet /w DoS protection ect , ect.

If this is the case how is this box connected ?

you did say a Default Route existed this could be a gateway on your lan or
the ISP's gateway assigned to
you via DHCP on a WAN Device directly connected to
the Linux FTP box ..

RE: Getting rid of the masses of ip_conntrack messages

[Rob Sterenborg]

> Yes, maybe I didn't make myself clear, but here again, how can I
> suppress such messages?

Sorry, I don't think I can really help you here.

In the kernel source (2.4.20), ip_conntrack_core.c on line 969 says
that this is a KERN_WARNING message.
I guess you could suppress those messages using your syslog.conf, but
I don't think you want that as I think that you will also be *not*
logging these messages from other software.

(I have *not* said the following, and this is *not* the solution :
A really dirty thing what *might* work is to comment out the
printk(...) line and recompile your kernel.
Again you might miss other messages that you do want in your logfile
since the section is talking about "helper" things : there is more
than 1 helper and you may use multiple of 'm.
I can't see what effect it would have if you did this !)


Rob

Getting rid of the masses of ip_conntrack messages

[hard__ware]

have you made sure that the ip_conntrack_ftp module is loaded as well , #>
lsmod

If so the only thing i can suggest is disableing DROP on
your output for a while and remove the output rules.
(set its CHAIN to default of ACCEPT)

did this stop the messages ? other than that im not sure .
ive tried to follow the entire Kernel Source .c kode,
and to me it looks like you may have a problem in your output and maybe
contrack_ftp problems ...

cya...