Re: where are my udp packets going?

[sean darcy <seandarcy2@gmail.com>]

Pascal Hambourg wrote:
> sean darcy a écrit :
>>
>> I was able to shut down the 76. machine, reboot the server, and it 
>> worked.
> 
> Hmm, shut down or reboot was a bit overkill.
> 
>> My server does NOT generate 4569 packets, and iptables INPUT drops all 
>> from eth0, except for ssh and ESTABLISHED. So how could there be a 
>> conntrack entry?
> 
> The DROP target prevents a packet from creating a new conntrack entry. 
> However I suppose there was a sort of race condition with incoming 
> packets, conntrack activation, default policy definition and rule creation.
> 
> If the conntrack module is loaded before a DROP rule is created in the 
> filter/INPUT chain or its policy is set to DROP, then an incoming packet 
>  could create the bogus conntrack entry. The conntrack module can be 
> autoloaded by many ways including :
> - loading a conntrack or NAT helper module,
> - creating a rule using a match or target that requires conntrack 
> (state, conntrack, connmark, CONNMARK...)
> - loading the nat table, which may be caused by creating a rule in one 
> of its chains, defining the default policy of one of its chains or just 
> flushing one of its chains.
> So conntrack may be enabled sooner that you think.
> 
> Check the order in which the following operations happen at startup :
> - load conntrack/NAT modules {ip,nf}_{conntrack,nat}*
> - define iptables default policies in the nat and filter tables
> - create or flush iptables rules in the nat and filter tables
> - enable network interfaces
> 
>> Is there a way to DNAT traffic before it reaches the conntrack entry? 
> 
> No, because NAT requires conntrack.
> 
>> Can I change the destination in raw/PREROUTING?
> 
> No. All you can do in raw/PREROUTING is DROP or mark packets in the 
> UNTRACKED state with the NOTRACK target so the conntrack won't see them. 
> By the way I guess that adding a temporary rule matching the IAX traffic 
> from 76.x.x.x in this chain until the related conntrack entry expires 
> would have done the trick too, without having to put machines offline.
> 
>> Is there a way to flush the conntrack entry?
> 
> Yes, with the conntrack utility from the conntrack-tools package. If you 
> distro does not ship it, you can get it from the netfilter site.
> <http://www.netfilter.org/projects/conntrack-tools/index.html>
>

Great. I've installed conntrack-tools from fedora.

Now I'm trying to figure out the correct command that flushes the 
conntrack entry but allows it to start again. I started a new thread 
since it's getting OT for this one.

Thanks for all your help. I never would've figured this out.

sean