conntrack

conntrack

[Mohamed Eldesoky]

How does conntrack work ??
Does it care if the source/destination IPs change as well, due to load
balancers ??
I mean, if an outsider talks to x.y.z.1 and the load balancer forwards
that packet to x.y.z.2, so the outsider will get a reply from x.y.z.2
and continue the communications with it.
Does conntrack recognize that ?

-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: conntrack

[Mohamed Eldesoky]

???

On 7/31/05, Mohamed Eldesoky <eldesoky.lists@gmail.com> wrote:
> How does conntrack work ??
> Does it care if the source/destination IPs change as well, due to load
> balancers ??
> I mean, if an outsider talks to x.y.z.1 and the load balancer forwards
> that packet to x.y.z.2, so the outsider will get a reply from x.y.z.2
> and continue the communications with it.
> Does conntrack recognize that ?
> 
> -- 
> Mohamed Eldesoky
> www.eldesoky.net
> RHCE
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: conntrack

[Jan Engelhardt]

>???

Doubting your own post?


>On 7/31/05, Mohamed Eldesoky <eldesoky.lists@gmail.com> wrote:
>> How does conntrack work ??
>> Does it care if the source/destination IPs change as well, due to load
>> balancers ??
>> I mean, if an outsider talks to x.y.z.1 and the load balancer forwards
>> that packet to x.y.z.2, so the outsider will get a reply from x.y.z.2
>> and continue the communications with it.
>> Does conntrack recognize that ?
>> 
>> -- 
>> Mohamed Eldesoky
>> www.eldesoky.net
>> RHCE
>> 
>
>
>-- 
>Mohamed Eldesoky
>www.eldesoky.net
>RHCE
>
>

Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/

conntrack

[Pawel Oleksik]

Hello,

I'd like to check the 'conntrack' tool. However, I can not compile it.
(Actually, I cannot compile libnetfilter_conntrack-0.0.20)
There is neither "linux_list.h" nor
"libnetfilter_conntrack/libnetfilter_conntrack_extensions.h" header files.
I know, where to find the first of them, but what about the second?

Could you give me some hints?

P.O.

Re: conntrack

[Ralf Spenneberg]

You need Linux Kernel 2.6.14 and need to specifiy the kernel directory
while compiling.

Ralf

Am Samstag, den 05.11.2005, 21:20 +0100 schrieb Pawel Oleksik:
> Hello,
> 
> I'd like to check the 'conntrack' tool. However, I can not compile it.
> (Actually, I cannot compile libnetfilter_conntrack-0.0.20)
> There is neither "linux_list.h" nor
> "libnetfilter_conntrack/libnetfilter_conntrack_extensions.h" header files.
> I know, where to find the first of them, but what about the second?
> 
> Could you give me some hints?
> 
> P.O.
> 
-- 
Ralf Spenneberg
OpenSource Training                     http://www.opensource-training.de
Webereistr. 1                           48565 Steinfurt           Germany

Re: conntrack

[Pawel Oleksik]

On Sat, Nov 05, 2005 at 09:54:57PM +0100, Ralf Spenneberg wrote:
> You need Linux Kernel 2.6.14 and need to specifiy the kernel directory
> while compiling.
> 
> Ralf
> 

Of course, I did it.
Actually, I've compiled 2.6.14 but still running 2.6.13.
So, for configuration of I run:
./configure --with-kernel=/usr/src/linux-2.6.14

But it didn't help.

P.O.

ps. The mentioned file
(libnetfilter_conntrack/libnetfilter_conntrack_extensions.h) is not present in
any of sources of: libnetfilter_conntrack-0.0.20, libnfnetlink-0.0.11,
conntrack-0.90, iptables-1.3.[34].

Moreover, linux_list.h is in sources of iptables-1.3.4, but installation will
not copy it in any include/ directiory. So, one has to do it himself.

Re: conntrack

[Ralf Spenneberg]

Hmh,

well I did not use the released versions but the subversion versions.
They worked for me.

Ralf
Am Sonntag, den 06.11.2005, 09:02 +0100 schrieb Pawel Oleksik:
> On Sat, Nov 05, 2005 at 09:54:57PM +0100, Ralf Spenneberg wrote:
> > You need Linux Kernel 2.6.14 and need to specifiy the kernel directory
> > while compiling.
> > 
> > Ralf
> > 
> 
> Of course, I did it.
> Actually, I've compiled 2.6.14 but still running 2.6.13.
> So, for configuration of I run:
> ./configure --with-kernel=/usr/src/linux-2.6.14
> 
> But it didn't help.
> 
> P.O.
> 
> ps. The mentioned file
> (libnetfilter_conntrack/libnetfilter_conntrack_extensions.h) is not present in
> any of sources of: libnetfilter_conntrack-0.0.20, libnfnetlink-0.0.11,
> conntrack-0.90, iptables-1.3.[34].
> 
> Moreover, linux_list.h is in sources of iptables-1.3.4, but installation will
> not copy it in any include/ directiory. So, one has to do it himself.
-- 
Ralf Spenneberg
OpenSource Training                     http://www.opensource-training.de
Webereistr. 1                           48565 Steinfurt           Germany

Re: conntrack

[Pawel Oleksik]

On Sun, Nov 06, 2005 at 09:44:26AM +0100, Ralf Spenneberg wrote:
> Hmh,
> 
> well I did not use the released versions but the subversion versions.
> They worked for me.
> 
> Ralf

Positive! The SVN version works. (I hope they will change default download to
a right version soon.)

Thanks for the suggestion.

So, I will be back with questions how to use it :)

P.O.

conntrack

[Corin Langosch]

Hi all,

i used to use iptables conntrack module. as our servers are really
busy and get a lot of connections, we got a lot of errors like
conntrack: table full, dropping packet. due to resource limits
we dont want to increase the conntrack_max limit, its currently
set to something about 32000.

how can we configure iptables so that some ports are excluded
from being tracked? as most connections are incomming on only
around 5 different ports all problems should be solved with
such an option :)

is there anything like iptables --notrack -dport 80 ..?
would be great!!

thanks for any help,
corin