* NOTRACK not working
@ 2010-01-26 18:38 Dennis J.
2010-01-26 18:49 ` Покотиленко Костик
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Dennis J. @ 2010-01-26 18:38 UTC (permalink / raw)
To: netfilter
Hi,
For a while now I excluded two IPs on my firewall from connection tracking
which works very well. Now I tried adding another IP but that doesn't seem
to work. I added the following rules:
iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
up most of the entries.
Is there something else that needs to be done to exclude this IP completely
from the connection tracking table?
Regards,
Dennis
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: NOTRACK not working
2010-01-26 18:38 NOTRACK not working Dennis J.
@ 2010-01-26 18:49 ` Покотиленко Костик
2010-01-26 20:15 ` Dennis J.
2010-01-26 18:57 ` Jozsef Kadlecsik
2010-01-26 19:01 ` Steven Kath
2 siblings, 1 reply; 8+ messages in thread
From: Покотиленко Костик @ 2010-01-26 18:49 UTC (permalink / raw)
To: Dennis J.; +Cc: netfilter
В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
> Hi,
> For a while now I excluded two IPs on my firewall from connection tracking
> which works very well. Now I tried adding another IP but that doesn't seem
> to work. I added the following rules:
>
> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
>
> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
> up most of the entries.
> Is there something else that needs to be done to exclude this IP completely
> from the connection tracking table?
Probably conntrack has seen packets from this IP before you added those
rules, they will remain until connection is "closed" and/or timeout
occurs. Quick hack is to do "conntrack -F; conntrack -F expect".
--
Покотиленко Костик <casper@meteor.dp.ua>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: NOTRACK not working
2010-01-26 18:49 ` Покотиленко Костик
@ 2010-01-26 20:15 ` Dennis J.
2010-01-26 20:35 ` Покотиленко Костик
2010-01-26 20:43 ` Покотиленко Костик
0 siblings, 2 replies; 8+ messages in thread
From: Dennis J. @ 2010-01-26 20:15 UTC (permalink / raw)
To: Покотиленко Костик
Cc: netfilter
On 01/26/2010 07:49 PM, Покотиленко Костик wrote:
> В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
>> Hi,
>> For a while now I excluded two IPs on my firewall from connection tracking
>> which works very well. Now I tried adding another IP but that doesn't seem
>> to work. I added the following rules:
>>
>> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
>> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
>>
>> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
>> up most of the entries.
>> Is there something else that needs to be done to exclude this IP completely
>> from the connection tracking table?
>
> Probably conntrack has seen packets from this IP before you added those
> rules, they will remain until connection is "closed" and/or timeout
> occurs. Quick hack is to do "conntrack -F; conntrack -F expect".
>
Makes sense. Where can I find the conntrack command? This is a regular
centos 5 system but I can't find any packages that contain this command.
Regards,
Dennis
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: NOTRACK not working
2010-01-26 20:15 ` Dennis J.
@ 2010-01-26 20:35 ` Покотиленко Костик
2010-01-27 15:47 ` Dennis J.
2010-01-26 20:43 ` Покотиленко Костик
1 sibling, 1 reply; 8+ messages in thread
From: Покотиленко Костик @ 2010-01-26 20:35 UTC (permalink / raw)
To: Dennis J.; +Cc: netfilter
В Вто, 26/01/2010 в 21:15 +0100, Dennis J. пишет:
> On 01/26/2010 07:49 PM, Покотиленко Костик wrote:
> > В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
> >> Hi,
> >> For a while now I excluded two IPs on my firewall from connection tracking
> >> which works very well. Now I tried adding another IP but that doesn't seem
> >> to work. I added the following rules:
> >>
> >> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
> >> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
> >>
> >> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
> >> up most of the entries.
> >> Is there something else that needs to be done to exclude this IP completely
> >> from the connection tracking table?
> >
> > Probably conntrack has seen packets from this IP before you added those
> > rules, they will remain until connection is "closed" and/or timeout
> > occurs. Quick hack is to do "conntrack -F; conntrack -F expect".
> >
>
> Makes sense. Where can I find the conntrack command? This is a regular
> centos 5 system but I can't find any packages that contain this command.
In Debian this is in "conntrack" package. I'm not centos user, but you
will propably find a way to see which package contains a certain file on
centos website.
--
Покотиленко Костик <casper@meteor.dp.ua>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: NOTRACK not working
2010-01-26 20:35 ` Покотиленко Костик
@ 2010-01-27 15:47 ` Dennis J.
0 siblings, 0 replies; 8+ messages in thread
From: Dennis J. @ 2010-01-27 15:47 UTC (permalink / raw)
To: Покотиленко Костик
Cc: netfilter
On 01/26/2010 09:35 PM, Покотиленко Костик wrote:
> В Вто, 26/01/2010 в 21:15 +0100, Dennis J. пишет:
>> On 01/26/2010 07:49 PM, Покотиленко Костик wrote:
>>> В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
>>>> Hi,
>>>> For a while now I excluded two IPs on my firewall from connection tracking
>>>> which works very well. Now I tried adding another IP but that doesn't seem
>>>> to work. I added the following rules:
>>>>
>>>> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
>>>> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
>>>>
>>>> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
>>>> up most of the entries.
>>>> Is there something else that needs to be done to exclude this IP completely
>>>> from the connection tracking table?
>>>
>>> Probably conntrack has seen packets from this IP before you added those
>>> rules, they will remain until connection is "closed" and/or timeout
>>> occurs. Quick hack is to do "conntrack -F; conntrack -F expect".
>>>
>>
>> Makes sense. Where can I find the conntrack command? This is a regular
>> centos 5 system but I can't find any packages that contain this command.
>
> In Debian this is in "conntrack" package. I'm not centos user, but you
> will propably find a way to see which package contains a certain file on
> centos website.
>
I didn't find the required packages but rebuilding them from the fedora
versions was easy. After installing I was able to clear the table as
described. Thanks!
Regards,
Dennis
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: NOTRACK not working
2010-01-26 20:15 ` Dennis J.
2010-01-26 20:35 ` Покотиленко Костик
@ 2010-01-26 20:43 ` Покотиленко Костик
1 sibling, 0 replies; 8+ messages in thread
From: Покотиленко Костик @ 2010-01-26 20:43 UTC (permalink / raw)
To: Dennis J.; +Cc: netfilter
В Вто, 26/01/2010 в 21:15 +0100, Dennis J. пишет:
> On 01/26/2010 07:49 PM, Покотиленко Костик wrote:
> > В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
> >> Hi,
> >> For a while now I excluded two IPs on my firewall from connection tracking
> >> which works very well. Now I tried adding another IP but that doesn't seem
> >> to work. I added the following rules:
> >>
> >> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
> >> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
> >>
> >> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
> >> up most of the entries.
> >> Is there something else that needs to be done to exclude this IP completely
> >> from the connection tracking table?
> >
> > Probably conntrack has seen packets from this IP before you added those
> > rules, they will remain until connection is "closed" and/or timeout
> > occurs. Quick hack is to do "conntrack -F; conntrack -F expect".
> >
>
> Makes sense. Where can I find the conntrack command? This is a regular
> centos 5 system but I can't find any packages that contain this command.
In Debian it is in "contrack" package. I'm not centos user, but you'll
probably find a way to see what package contains given file on centos
website.
--
Покотиленко Костик <casper@meteor.dp.ua>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: NOTRACK not working
2010-01-26 18:38 NOTRACK not working Dennis J.
2010-01-26 18:49 ` Покотиленко Костик
@ 2010-01-26 18:57 ` Jozsef Kadlecsik
2010-01-26 19:01 ` Steven Kath
2 siblings, 0 replies; 8+ messages in thread
From: Jozsef Kadlecsik @ 2010-01-26 18:57 UTC (permalink / raw)
To: Dennis J.; +Cc: netfilter
On Tue, 26 Jan 2010, Dennis J. wrote:
> For a while now I excluded two IPs on my firewall from connection tracking
> which works very well. Now I tried adding another IP but that doesn't seem to
> work. I added the following rules:
>
> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
>
> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using up
> most of the entries.
Did you add those rules to a running system? Then you see the already
existing connections in /proc/net/ip_conntrack.
The NOTRACK target does not terminate existing connections.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 8+ messages in thread* RE: NOTRACK not working
2010-01-26 18:38 NOTRACK not working Dennis J.
2010-01-26 18:49 ` Покотиленко Костик
2010-01-26 18:57 ` Jozsef Kadlecsik
@ 2010-01-26 19:01 ` Steven Kath
2 siblings, 0 replies; 8+ messages in thread
From: Steven Kath @ 2010-01-26 19:01 UTC (permalink / raw)
To: 'Dennis J.', netfilter
> For a while now I excluded two IPs on my firewall from connection
tracking
> which works very well. Now I tried adding another IP but that doesn't
seem
> to work. I added the following rules:
>
> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
>
> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10
using
> up most of the entries.
Are the counters for your new rules incrementing? Are you sure you're not
looking at entries remaining in the conntrack table from before you
applied the new rules?
Perhaps new conntrack entries are no longer being created, but the old
ones remain. I believe that the entries present before you added your
rule will not time out if the traffic persists.
If so, and you have the conntrack-tools package available, you can use the
conntrack command to manually purge the undesired entries. You could also
flush the table by removing and re-inserting any conntrack-related
modules, which would be a bit more disruptive.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-01-27 15:47 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-01-26 18:38 NOTRACK not working Dennis J.
2010-01-26 18:49 ` Покотиленко Костик
2010-01-26 20:15 ` Dennis J.
2010-01-26 20:35 ` Покотиленко Костик
2010-01-27 15:47 ` Dennis J.
2010-01-26 20:43 ` Покотиленко Костик
2010-01-26 18:57 ` Jozsef Kadlecsik
2010-01-26 19:01 ` Steven Kath
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.