"selective" connection tracking?

"selective" connection tracking?

[Michael Renzmann]

Hi all.

I digged the mailing list archive as well as the documentation for an 
answer and found some hints, but no clear statement.

Is it possible to use connection tracking only for specified 
connections, but not for all? Or would it be possible to "disable" 
connection tracking for connections that go through the forward chain, 
and using it only for connections that from/to the machine itself?

As far as I could find out: when starting to use stateful inspection 
features connection tracking is loaded (as module), which then is 
applied to ALL the connections that are comming into / going out of the 
machine and are passed through it (where the machine acts as router). Is 
that correct?

Any help appreciated.

Bye, Mike

Re: "selective" connection tracking?

[Cedric Blancher]

Le mar 28/10/2003 à 18:29, Michael Renzmann a écrit :
> Is it possible to use connection tracking only for specified 
> connections, but not for all? Or would it be possible to "disable" 
> connection tracking for connections that go through the forward chain, 
> and using it only for connections that from/to the machine itself?

With stock Netfilter/iptables, it is not possible. Once ip_conntrack is
loaded, every packet is evaluated against connection tracking and is
given a state.

However, you can use raw table that is available in patch-o-matic. This
will imply iptables and kernel compilation. raw table is prior to
conntrack subsystem and allows you to choose wether a packet has to go
through conntrack or not, using NOTRACK target :

	iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 \
		-j NOTRACK

Then, you can match them afterwards using UNTRACK state :

	iptables -A FORWARD -m state --state UNTRACKED -j ACCEPT

Note that if you do not conntrack a connection, you loose all conntrack
capabilities such as ICMP errors handling, helpers and NAT (as
Netfilter's NAT relies on conntrack).

See http://www.netfilter.org/documentation/pomlist/pom-base.html#raw for
more details (examples are excerpts from this page).

I also like raw table TRACE target that allows full debugging as traced
packets will get logged for any rule they meet.

> As far as I could find out: when starting to use stateful inspection 
> features connection tracking is loaded (as module), which then is 
> applied to ALL the connections that are comming into / going out of the 
> machine and are passed through it (where the machine acts as router). Is 
> that correct?

Correct, unless using raw table.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 

Re: "selective" connection tracking?

[Michael Renzmann]

Hi Cedric.

First of all thanks for your answer.

Cedric Blancher wrote:
> However, you can use raw table that is available in patch-o-matic. This
> will imply iptables and kernel compilation. raw table is prior to
> conntrack subsystem and allows you to choose wether a packet has to go
> through conntrack or not, using NOTRACK target :
> 
> 	iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 \
> 		-j NOTRACK
[...]

Thanks for the tip, I think this will do. We already use a bunch of the 
pom-patches, and if I remember correctly the RAW-patch has already been 
applied.

> Note that if you do not conntrack a connection, you loose all conntrack
> capabilities such as ICMP errors handling, helpers and NAT (as
> Netfilter's NAT relies on conntrack).

Just to be sure: it will still be possible to use conntrack for traffic 
that it targeted to the router itself, while pushing forwarded traffic 
through the router without connection traffic. Correct?

Bye, Mike

Re: "selective" connection tracking?

[Cedric Blancher]

Le ven 31/10/2003 à 11:47, Michael Renzmann a écrit :
> First of all thanks for your answer.

You're welcome ;)

> > Note that if you do not conntrack a connection, you loose all conntrack
> > capabilities such as ICMP errors handling, helpers and NAT (as
> > Netfilter's NAT relies on conntrack).
> Just to be sure: it will still be possible to use conntrack for traffic 
> that it targeted to the router itself, while pushing forwarded traffic 
> through the router without connection traffic. Correct?

You're able to do anything you want, as you have to explicitly implement
which traffic you do not want to track. Suppose your local IP is
A.B.C.D, then doing something like this should do the trick :

	iptables -t raw -A PREROUTING -d ! A.B.C.D -j NOTRACK

Do this to exclude all traffic destined to local box.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 

Re: "selective" connection tracking?

[Michael Renzmann]

Hi.

Cedric Blancher wrote:
>>Just to be sure: it will still be possible to use conntrack for traffic 
>>that it targeted to the router itself, while pushing forwarded traffic 
>>through the router without connection traffic. Correct?
> You're able to do anything you want, as you have to explicitly implement
> which traffic you do not want to track. Suppose your local IP is
> A.B.C.D, then doing something like this should do the trick :
> 
> 	iptables -t raw -A PREROUTING -d ! A.B.C.D -j NOTRACK
> 
> Do this to exclude all traffic destined to local box.

You mean "not destined to the local box", right? :)

Bye, Mike

Re: "selective" connection tracking?

[Cedric Blancher]

Le ven 31/10/2003 à 13:17, Michael Renzmann a écrit :
> > You're able to do anything you want, as you have to explicitly implement
> > which traffic you do not want to track. Suppose your local IP is
> > A.B.C.D, then doing something like this should do the trick :
> > 	iptables -t raw -A PREROUTING -d ! A.B.C.D -j NOTRACK
> > Do this to exclude all traffic destined to local box.
> You mean "not destined to the local box", right? :)

I do mean "destined to the local box". You exclude from NOTRACK target
al traffic destined to the local box, meaning you include it in
conntrack ;)))

We do agree, for sure.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!