NOTRACK not working

NOTRACK not working

[Dennis J.]

Hi,
For a while now I excluded two IPs on my firewall from connection tracking 
which works very well. Now I tried adding another IP but that doesn't seem 
to work. I added the following rules:

iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK

Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using 
up most of the entries.
Is there something else that needs to be done to exclude this IP completely 
from the connection tracking table?

Regards,
   Dennis

Re: NOTRACK not working

[Покотиленко Костик]

В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
> Hi,
> For a while now I excluded two IPs on my firewall from connection tracking 
> which works very well. Now I tried adding another IP but that doesn't seem 
> to work. I added the following rules:
> 
> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
> 
> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using 
> up most of the entries.
> Is there something else that needs to be done to exclude this IP completely 
> from the connection tracking table?

Probably conntrack has seen packets from this IP before you added those
rules, they will remain until connection is "closed" and/or timeout
occurs. Quick hack is to do "conntrack -F; conntrack -F expect".

-- 
Покотиленко Костик <casper@meteor.dp.ua>

Re: NOTRACK not working

[Jozsef Kadlecsik]

On Tue, 26 Jan 2010, Dennis J. wrote:

> For a while now I excluded two IPs on my firewall from connection tracking
> which works very well. Now I tried adding another IP but that doesn't seem to
> work. I added the following rules:
> 
> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
> 
> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using up
> most of the entries.

Did you add those rules to a running system? Then you see the already 
existing connections in /proc/net/ip_conntrack.

The NOTRACK target does not terminate existing connections.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

RE: NOTRACK not working

[Steven Kath]

> For a while now I excluded two IPs on my firewall from connection
tracking
> which works very well. Now I tried adding another IP but that doesn't
seem
> to work. I added the following rules:
> 
> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
> 
> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10
using
> up most of the entries.

Are the counters for your new rules incrementing?  Are you sure you're not
looking at entries remaining in the conntrack table from before you
applied the new rules?  

Perhaps new conntrack entries are no longer being created, but the old
ones remain.  I believe that the entries present before you added your
rule will not time out if the traffic persists.  

If so, and you have the conntrack-tools package available, you can use the
conntrack command to manually purge the undesired entries.  You could also
flush the table by removing and re-inserting any conntrack-related
modules, which would be a bit more disruptive. 

Re: NOTRACK not working

[Dennis J.]

On 01/26/2010 07:49 PM, Покотиленко Костик wrote:
> В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
>> Hi,
>> For a while now I excluded two IPs on my firewall from connection tracking
>> which works very well. Now I tried adding another IP but that doesn't seem
>> to work. I added the following rules:
>>
>> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
>> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
>>
>> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
>> up most of the entries.
>> Is there something else that needs to be done to exclude this IP completely
>> from the connection tracking table?
>
> Probably conntrack has seen packets from this IP before you added those
> rules, they will remain until connection is "closed" and/or timeout
> occurs. Quick hack is to do "conntrack -F; conntrack -F expect".
>

Makes sense. Where can I find the conntrack command? This is a regular 
centos 5 system but I can't find any packages that contain this command.

Regards,
   Dennis

Re: NOTRACK not working

[Покотиленко Костик]

В Вто, 26/01/2010 в 21:15 +0100, Dennis J. пишет:
> On 01/26/2010 07:49 PM, Покотиленко Костик wrote:
> > В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
> >> Hi,
> >> For a while now I excluded two IPs on my firewall from connection tracking
> >> which works very well. Now I tried adding another IP but that doesn't seem
> >> to work. I added the following rules:
> >>
> >> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
> >> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
> >>
> >> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
> >> up most of the entries.
> >> Is there something else that needs to be done to exclude this IP completely
> >> from the connection tracking table?
> >
> > Probably conntrack has seen packets from this IP before you added those
> > rules, they will remain until connection is "closed" and/or timeout
> > occurs. Quick hack is to do "conntrack -F; conntrack -F expect".
> >
> 
> Makes sense. Where can I find the conntrack command? This is a regular 
> centos 5 system but I can't find any packages that contain this command.

In Debian this is in "conntrack" package. I'm not centos user, but you
will propably find a way to see which package contains a certain file on
centos website.

-- 
Покотиленко Костик <casper@meteor.dp.ua>

Re: NOTRACK not working

[Покотиленко Костик]

В Вто, 26/01/2010 в 21:15 +0100, Dennis J. пишет:
> On 01/26/2010 07:49 PM, Покотиленко Костик wrote:
> > В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
> >> Hi,
> >> For a while now I excluded two IPs on my firewall from connection tracking
> >> which works very well. Now I tried adding another IP but that doesn't seem
> >> to work. I added the following rules:
> >>
> >> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
> >> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
> >>
> >> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
> >> up most of the entries.
> >> Is there something else that needs to be done to exclude this IP completely
> >> from the connection tracking table?
> >
> > Probably conntrack has seen packets from this IP before you added those
> > rules, they will remain until connection is "closed" and/or timeout
> > occurs. Quick hack is to do "conntrack -F; conntrack -F expect".
> >
> 
> Makes sense. Where can I find the conntrack command? This is a regular 
> centos 5 system but I can't find any packages that contain this command.

In Debian it is in "contrack" package. I'm not centos user, but you'll
probably find a way to see what package contains given file on centos
website.

-- 
Покотиленко Костик <casper@meteor.dp.ua>

Re: NOTRACK not working

[Dennis J.]

On 01/26/2010 09:35 PM, Покотиленко Костик wrote:
> В Вто, 26/01/2010 в 21:15 +0100, Dennis J. пишет:
>> On 01/26/2010 07:49 PM, Покотиленко Костик wrote:
>>> В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
>>>> Hi,
>>>> For a while now I excluded two IPs on my firewall from connection tracking
>>>> which works very well. Now I tried adding another IP but that doesn't seem
>>>> to work. I added the following rules:
>>>>
>>>> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
>>>> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
>>>>
>>>> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
>>>> up most of the entries.
>>>> Is there something else that needs to be done to exclude this IP completely
>>>> from the connection tracking table?
>>>
>>> Probably conntrack has seen packets from this IP before you added those
>>> rules, they will remain until connection is "closed" and/or timeout
>>> occurs. Quick hack is to do "conntrack -F; conntrack -F expect".
>>>
>>
>> Makes sense. Where can I find the conntrack command? This is a regular
>> centos 5 system but I can't find any packages that contain this command.
>
> In Debian this is in "conntrack" package. I'm not centos user, but you
> will propably find a way to see which package contains a certain file on
> centos website.
>

I didn't find the required packages but rebuilding them from the fedora 
versions was easy. After installing I was able to clear the table as 
described. Thanks!

Regards,
   Dennis