* conntrack not working in raw table
@ 2013-11-11 7:20 Husnu Demir
2013-11-11 7:32 ` Husnu Demir
2013-11-11 8:54 ` Pascal Hambourg
0 siblings, 2 replies; 3+ messages in thread
From: Husnu Demir @ 2013-11-11 7:20 UTC (permalink / raw)
To: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I tried to wrote a conntrack rule for raw table.
- ------------------------------------------------
..
..
DNSTOP='10.10.1.1 10.11.1.1 10.199.10.1'
$IPSET create DNSTOP hash:net,iface family inet hashsize 1024 maxelem
65536
$IPSET add DNSTOP 10.0.0.0/8,vlan1
$IPSET add DNSTOP 10.0.0.0/8,vlan2
for i in $DNSTOP
do
$IPSET add DNSTOP $i,vlan1 nomatch
$IPSET add DNSTOP $i,vlan2 nomatch
done
$IPTABLES -t raw -A PREROUTING -m set --match-set DNSTOP dst,src -p
udp -m udp --dport 53 -m conntrack --ctstate NEW -j STOPDNS
..
..
num pkts bytes target prot opt in out source
destination
1 0 0 udp -- * * 0.0.0.0/0
0.0.0.0/0 match-set DNSTOP dst,src udp dpt:53 ctstate NEW
- ----------------------------------------------------
Simply, this will stop all NEW DNS querry coming from vlan1 and vlan2
except added IPs to $DNSTOP.
But, raw table cannot see the conntrack. I think it should be
understand from the conntrack table but I could not find any reference
in MAN of iptables(-extentions) about conntrack and raw table and it
gave no error. Simply not worked. It would be better to give an error
or put a reminder on MAN pages.
Best regards,
Husnu Demir.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSgIVFAAoJEISpBAM51qlER0sIAJC/jvVVQDlnQdYOkVp8oJqd
sPA74Giq4QDy+5kt5MmfnMF95364vICgSpbG5XGTJNJlK+OWqayt3DEosIuqrZUp
i+FlnZlVQohFX9fZ6Ik2Hv2xAAYSTuarfqlFmGTj1c+IFymmbfLt87AX31mI0Emn
Jc5vfEpx6BGk2vpZg+uUTVhXCAkrJ583BogwdDg8B4pycxEeSIA+VECAfmQ4vLoQ
VJLXrlhQI+5+/onQrRtYYzdjynT6HyoctKNYXKAvZj5zBth6YoOSSI7ZIgciOZz4
8MmNKq+r2LcSAWH/zgUtDjJUZhj3TrMqB/e0TuKdDJq7zEb4+DahskGMIGUUqxY=
=zJc5
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: conntrack not working in raw table
2013-11-11 7:20 conntrack not working in raw table Husnu Demir
@ 2013-11-11 7:32 ` Husnu Demir
2013-11-11 8:54 ` Pascal Hambourg
1 sibling, 0 replies; 3+ messages in thread
From: Husnu Demir @ 2013-11-11 7:32 UTC (permalink / raw)
To: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry I forgot to add;
uname -a
Linux neml 3.8.7 #2 SMP Mon Apr 15 14:09:02 EEST 2013 x86_64 GNU/Linux
Thanks.
hdemir.
On 11-11-2013 09:20, Husnu Demir wrote:
> Hi,
>
>
> I tried to wrote a conntrack rule for raw table.
>
> ------------------------------------------------ .. ..
> DNSTOP='10.10.1.1 10.11.1.1 10.199.10.1'
>
> $IPSET create DNSTOP hash:net,iface family inet hashsize 1024
> maxelem 65536
>
> $IPSET add DNSTOP 10.0.0.0/8,vlan1 $IPSET add DNSTOP
> 10.0.0.0/8,vlan2
>
> for i in $DNSTOP do $IPSET add DNSTOP $i,vlan1 nomatch $IPSET add
> DNSTOP $i,vlan2 nomatch done
>
> $IPTABLES -t raw -A PREROUTING -m set --match-set DNSTOP dst,src
> -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j STOPDNS ..
> ..
>
> num pkts bytes target prot opt in out source
> destination 1 0 0 udp -- * *
> 0.0.0.0/0 0.0.0.0/0 match-set DNSTOP dst,src udp dpt:53
> ctstate NEW
>
> ----------------------------------------------------
>
> Simply, this will stop all NEW DNS querry coming from vlan1 and
> vlan2 except added IPs to $DNSTOP.
>
> But, raw table cannot see the conntrack. I think it should be
> understand from the conntrack table but I could not find any
> reference in MAN of iptables(-extentions) about conntrack and raw
> table and it gave no error. Simply not worked. It would be better
> to give an error or put a reminder on MAN pages.
>
>
> Best regards,
>
> Husnu Demir. -- To unsubscribe from this list: send the line
> "unsubscribe netfilter" in the body of a message to
> majordomo@vger.kernel.org More majordomo info at
> http://vger.kernel.org/majordomo-info.html
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSgIgWAAoJEISpBAM51qlEOXgIANeZAsSxkECha//cTDDxqIjX
vXy12dW110Ditcz9ibXDkhirRijk1blzYgOSfzh5fqEoJ4WP6YNv6kPrmAxW0QGO
P1ipfed4l6xx5f7RG9I8RymyQpItArdX8E3AavQgLH/ubGapRzDLwqUxEawboAXt
9D4RQEqQA6+bI8UPWpZE+6YKTKw2fpL9SdToaF+XRem6B5LZqVhlXFInaraEgvBC
DEy+ohJrsBdtICUKjlyFloqLQcRJduEqPU+00uPRxy3/y1/7yZ0LXU1oqwOSMHCP
L0Q1yu5i5frgRD/R62yKPwWATrHoEAVgNLufRrikTLv8cPtd/OsjnHK8x5++v1A=
=b8ZZ
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: conntrack not working in raw table
2013-11-11 7:20 conntrack not working in raw table Husnu Demir
2013-11-11 7:32 ` Husnu Demir
@ 2013-11-11 8:54 ` Pascal Hambourg
1 sibling, 0 replies; 3+ messages in thread
From: Pascal Hambourg @ 2013-11-11 8:54 UTC (permalink / raw)
To: hdemir; +Cc: netfilter
Husnu Demir a écrit :
>
> But, raw table cannot see the conntrack.
And vice versa. This is precisely its main purpose.
> I could not find any reference
> in MAN of iptables(-extentions) about conntrack and raw table
Really ? Maybe you missed that quote from the iptables manpage :
raw:
This table is used mainly for configuring exemptions from
connection tracking in combination with the NOTRACK target.
It registers at the netfilter hooks with higher priority and
is thus called before ip_conntrack, or any other IP tables.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-11-11 8:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-11 7:20 conntrack not working in raw table Husnu Demir
2013-11-11 7:32 ` Husnu Demir
2013-11-11 8:54 ` Pascal Hambourg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.