RE: connection tracking without iptables?

RE: connection tracking without iptables?

[Daniel Chemko]

Jiann-Ming Su wrote:
> This is probably a dumb question, but is it possible to track
> connections without iptables/netfilter?

Yeah, use libpcap and parse it out yourself! (snicker)

Exactly what are you looking for and why? A good chunk of netfilter is
*just* connection tracking. What do you expect to get out of just
conntrack?

Re: connection tracking without iptables?

[Jiann-Ming Su]

On Wed, 29 Sep 2004 14:22:41 -0700, Daniel Chemko <dchemko@smgtec.com> wrote:
> Jiann-Ming Su wrote:
> > This is probably a dumb question, but is it possible to track
> > connections without iptables/netfilter?
> 
> Yeah, use libpcap and parse it out yourself! (snicker)
> 
> Exactly what are you looking for and why? A good chunk of netfilter is
> *just* connection tracking. What do you expect to get out of just
> conntrack?
> 

Just trying to get an idea of the type and amount of traffic passing
through a subnet.  I've done this before with tcpdump, but that
required an external parsing program to reconstitute all the
connections from the tcpdump capture.

-- 
Jiann-Ming Su
"I have to decide between two equally frightening options.  
                                            If I wanted to do that,
I'd vote." --Duckman

RE: connection tracking without iptables?

[Daniel Chemko]

> Another thing I'm interested in is the total number of current
> connections.  Does /proc/net/ip_conntrack provide this info?  I've
> taken my iptables firewall offline,  and I would expect
> /proc/net/ip_conntrack to show very few connections, but it seems to
> still have quite a bit of historical connections left in it.

/proc/net/ip_conntrack lists all the connections the firewall is
involved with and all traffic that flows through the firewall. If you've
got a lot of active sessions, you may need to filter down the number of
entries you are using. Active sessions always use the ESTABLISHED state
value, so you may just have a lot of CLOSE_WAIT's around. They may be
relevent if you have TOO many closed states. When I first applied the
tcp_window patches to netfilter, I saw thousands of close_waits.

Ex:
cat /proc/net/ip_conntrack | wc -l                   
    598
cat /proc/net/ip_conntrack | grep ESTABLISHED | wc -l
    362
cat /proc/net/ip_conntrack | grep ESTABLISHED | grep dport=25 | wc -l
      7
cat /proc/net/ip_conntrack | grep ESTABLISHED | grep dport=80 | wc -l  
    211

RE: connection tracking without iptables?

[Daniel Chemko]

> Just trying to get an idea of the type and amount of traffic passing
> through a subnet.  I've done this before with tcpdump, but that
> required an external parsing program to reconstitute all the
> connections from the tcpdump capture.

The way I track this kind of information is from netfilter/iptables.

In the PREROUTING and POSTROUTING chains, you implement 'null' targets
to add an internal netfilter counter to the packet stream.

# Detect all outgoing web traffic from that subnet
iptables -t mangle -A PREROUTING --source ${mynet}/${mymask} -p tcp
--dport 80 
# Return Traffic
iptables -t mangle -A PREROUTING --destination ${mynet}/${mymask} -p tcp
--sport 80

You may find this a little kludgy. I guess it is. The other alternative
is to use IP accounting packages which are pre-built to do this stuff.
You may find http://www.ntop.org/ntop.html or http://www.cacti.net/
useful if you don't feel like doing it yourself.

RE: connection tracking without iptables?

[Jason Opperisano]

On Thu, 2004-09-30 at 14:19, Daniel Chemko wrote:
> > Just trying to get an idea of the type and amount of traffic passing
> > through a subnet.  I've done this before with tcpdump, but that
> > required an external parsing program to reconstitute all the
> > connections from the tcpdump capture.
> 
> The way I track this kind of information is from netfilter/iptables.
> 
> In the PREROUTING and POSTROUTING chains, you implement 'null' targets
> to add an internal netfilter counter to the packet stream.
> 
> # Detect all outgoing web traffic from that subnet
> iptables -t mangle -A PREROUTING --source ${mynet}/${mymask} -p tcp
> --dport 80 
> # Return Traffic
> iptables -t mangle -A PREROUTING --destination ${mynet}/${mymask} -p tcp
> --sport 80
> 
> You may find this a little kludgy. I guess it is. The other alternative
> is to use IP accounting packages which are pre-built to do this stuff.
> You may find http://www.ntop.org/ntop.html or http://www.cacti.net/
> useful if you don't feel like doing it yourself.

iptraf is a quick & easy tool for this as well.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: connection tracking without iptables?

[Jiann-Ming Su]

On Thu, 30 Sep 2004 11:19:25 -0700, Daniel Chemko <dchemko@smgtec.com> wrote:
> 
> The way I track this kind of information is from netfilter/iptables.
> 
> In the PREROUTING and POSTROUTING chains, you implement 'null' targets
> to add an internal netfilter counter to the packet stream.
> 
> # Detect all outgoing web traffic from that subnet
> iptables -t mangle -A PREROUTING --source ${mynet}/${mymask} -p tcp
> --dport 80
> # Return Traffic
> iptables -t mangle -A PREROUTING --destination ${mynet}/${mymask} -p tcp
> --sport 80
> 

Another thing I'm interested in is the total number of current
connections.  Does /proc/net/ip_conntrack provide this info?  I've
taken my iptables firewall offline,  and I would expect
/proc/net/ip_conntrack to show very few connections, but it seems to
still have quite a bit of historical connections left in it.

Basically, what I want to be able to do is graph the number of
connections as a function of time with MRTG.  I just need to make sure
I'm grabbing the right information.  The output of "iptables -nvxL"
seems to be total packets processed.  Thanks again for any tips.

-- 
Jiann-Ming Su
"I have to decide between two equally frightening options.  
                                            If I wanted to do that,
I'd vote." --Duckman

Re: connection tracking without iptables?

[Jason Opperisano]

On Thu, 2004-09-30 at 19:04, Jiann-Ming Su wrote:
> 
> Another thing I'm interested in is the total number of current
> connections.  Does /proc/net/ip_conntrack provide this info?  I've
> taken my iptables firewall offline,  and I would expect
> /proc/net/ip_conntrack to show very few connections, but it seems to
> still have quite a bit of historical connections left in it.
> 
> Basically, what I want to be able to do is graph the number of
> connections as a function of time with MRTG.  I just need to make sure
> I'm grabbing the right information.  The output of "iptables -nvxL"
> seems to be total packets processed.  Thanks again for any tips.

  egrep 'ESTABLISHED|ASSURED' /proc/net/ip_conntrack | wc -l

should give you the number of "active" TCP & UDP connections at any
given point in time.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: connection tracking without iptables?

[Jiann-Ming Su]

On Thu, 30 Sep 2004 19:34:30 -0400, Jason Opperisano <opie@817west.com> wrote:
> 
>   egrep 'ESTABLISHED|ASSURED' /proc/net/ip_conntrack | wc -l
> 

We're finding that any read operation on /proc/net/ip_conntrack really
locks the system until that operation is completed.  That is, it's
almost as if the read prevents any writes, so the firewall locks up
momentarily until the read is done.  Is there a less system intensive
way to read ip_conntrack?  Or, is my observation completely wrong?
-- 
Jiann-Ming Su
"I have to decide between two equally frightening options.  
                                            If I wanted to do that,
I'd vote." --Duckman

Re: connection tracking without iptables?

[Jason Opperisano]

On Thu, Oct 14, 2004 at 02:31:11PM -0400, Jiann-Ming Su wrote:
> On Thu, 30 Sep 2004 19:34:30 -0400, Jason Opperisano <opie@817west.com> wrote:
> > 
> >   egrep 'ESTABLISHED|ASSURED' /proc/net/ip_conntrack | wc -l
> > 
> 
> We're finding that any read operation on /proc/net/ip_conntrack really
> locks the system until that operation is completed.  That is, it's
> almost as if the read prevents any writes, so the firewall locks up
> momentarily until the read is done.  Is there a less system intensive
> way to read ip_conntrack?  Or, is my observation completely wrong?

i'm not aware of any way that reading /proc/net/ip_conntrack would
prevent the system from creating new conntrack entries, but there's lots
of things that i'm not aware of...

you could try IPTState:  http://iptstate.phildev.net/

i don't know if it'll help though, as i'm pretty sure it just reads in
/proc/net/ip_conntrack for its data, same as cat/grep/sed/awk/etc...

are you sure there isn't something else going on?

-j

-- 
Jason Opperisano <opie@817west.com>

Re: connection tracking without iptables?

[Kiran Kumar Immidi]

On Friday 15 October 2004 00:27, Jason Opperisano wrote:

> i'm not aware of any way that reading /proc/net/ip_conntrack would
> prevent the system from creating new conntrack entries, but there's lots
> of things that i'm not aware of...

  AFAIR, the proc interface for the ip conntrack contents was considered 
broken and was moved to use the seq_file interface.  The patch to this effect 
went into 2.6.9-rc1. 

  http://lists.netfilter.org/pipermail/netfilter-devel/2004-July/016149.html

  I am not sure, but may be this patch could help you.

-- 
Regards,
Kiran Kumar Immidi

Re: connection tracking without iptables?

[Jose Maria Lopez]

El jue, 14 de 10 de 2004 a las 20:31, Jiann-Ming Su escribió:
> On Thu, 30 Sep 2004 19:34:30 -0400, Jason Opperisano <opie@817west.com> wrote:
> > 
> >   egrep 'ESTABLISHED|ASSURED' /proc/net/ip_conntrack | wc -l
> > 
> 
> We're finding that any read operation on /proc/net/ip_conntrack really
> locks the system until that operation is completed.  That is, it's
> almost as if the read prevents any writes, so the firewall locks up
> momentarily until the read is done.  Is there a less system intensive
> way to read ip_conntrack?  Or, is my observation completely wrong?

You can try to use libipq or libiptc to read the connection tracking
list, but I don't know if it's even possible. You can check the source
code of iptstate to see how they do it, maybe you can find a way of
reading the data more quickly or at least read only the data you
need.
-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: connection tracking without iptables?

[Aleksandar Milivojevic]

Jiann-Ming Su wrote:
> On Thu, 30 Sep 2004 19:34:30 -0400, Jason Opperisano <opie@817west.com> wrote:
> 
>>  egrep 'ESTABLISHED|ASSURED' /proc/net/ip_conntrack | wc -l
>>
> 
> 
> We're finding that any read operation on /proc/net/ip_conntrack really
> locks the system until that operation is completed.  That is, it's
> almost as if the read prevents any writes, so the firewall locks up
> momentarily until the read is done.  Is there a less system intensive
> way to read ip_conntrack?  Or, is my observation completely wrong?

 From linux kernel 2.6.9 changelog:

[NETFILTER]: add sysctl to read out the number of current connections
	
Apparently a lot of scripts use a construct like
    cat /proc/net/ip_conntrack | wc -l
which has a negative impact on system performance due to all the locking
required.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

connection tracking without iptables?

[Jiann-Ming Su]

This is probably a dumb question, but is it possible to track
connections without iptables/netfilter?
-- 
Jiann-Ming Su
"I have to decide between two equally frightening options.  
                                            If I wanted to do that,
I'd vote." --Duckman

RE: connection tracking without iptables?

[Alexis]

Yes it is, is inside the code, i think this example could explain you

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
iptables -A FORWARD -i $inside_interface -o $outside_interface -m state
--state NEW -j ACCEPT
iptables -A FORWARD -i $outside_interface -m state --state
RELATED,ESTABLISHED -j ACCEPT

That's it, this is what you need in order to get a statefull firewall with 2
interfaces.


> -----Mensaje original-----
> De: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] En nombre de 
> Jiann-Ming Su
> Enviado el: Miércoles, 29 de Septiembre de 2004 17:51
> Para: netfilter@lists.netfilter.org
> Asunto: connection tracking without iptables?
> 
> This is probably a dumb question, but is it possible to track
> connections without iptables/netfilter?
> -- 
> Jiann-Ming Su
> "I have to decide between two equally frightening options.  
>                                             If I wanted to do that,
> I'd vote." --Duckman
> 
> 

Re: connection tracking without iptables?

[Jason Opperisano]

On Wed, 2004-09-29 at 16:50, Jiann-Ming Su wrote:
> This is probably a dumb question, but is it possible to track
> connections without iptables/netfilter?

modprobe ip_conntrack

-j

-- 
Jason Opperisano <opie@817west.com>

Re: connection tracking without iptables?

[Jose Maria Lopez]

El mié, 29 de 09 de 2004 a las 22:50, Jiann-Ming Su escribió:
> This is probably a dumb question, but is it possible to track
> connections without iptables/netfilter?

Maybe a good place to start it's the source code of
the tool iptstate, that it's a something like top
for conntrack connections.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"