RE: How to run iptables insert command on linux box as non root user?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The best I could come up with is either use a new port instead of port 80 (like www.webmin.com) or write to a MySQL database of what commands are required and then allow a script to make the changes for you.

/etc/crontab
* * * * * root    php /scripts/updateiptables.php

once webserver page authenticates a user, it allows changes to be made and writes them to a secured MySQL database. Every minute, the root user script reads them and executes them as required... it's not an immediate but works. You could always make the PHP script always active monitoring changes I guess...


-----Original Message-----
From: Israel Zavalza Bahena [mailto:izavalza@xxxxxxxxxxx]
Sent: Saturday, May 31, 2003 7:19 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: How to run iptables insert command on linux box as non root
user?




Hello


I need to run IPTABLES on a linux box from a CGI on apache web server, but i 
need to run as apache user, not as root user, to avoid a secure 
vulnerability over the apache web server.

Do i need to recompile iptables or the kernel ?

Someone has done it before ?

Thanks for your comments.


Ing. Israel Zavalza Bahena
Technology Strategic Manager of
INTERTIENDAS Network Center








>From: netfilter-request@xxxxxxxxxxxxxxxxxxx
>Reply-To: netfilter@xxxxxxxxxxxxxxxxxxx
>To: netfilter@xxxxxxxxxxxxxxxxxxx
>Subject: netfilter digest, Vol 1 #872 - 10 msgs
>Date: Fri, 30 May 2003 22:40:16 +0200
>
>Send netfilter mailing list submissions to
>	netfilter@xxxxxxxxxxxxxxxxxxx
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	https://lists.netfilter.org/mailman/listinfo/netfilter
>or, via email, send a message with subject or body 'help' to
>	netfilter-request@xxxxxxxxxxxxxxxxxxx
>
>You can reach the person managing the list at
>	netfilter-admin@xxxxxxxxxxxxxxxxxxx
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of netfilter digest..."
>
>
>Today's Topics:
>
>    1. Need some clarity (Michael Carroll)
>    2. Skipping connection tracking for certain traffic types? (Ville 
>Mattila)
>    3. Usage of netfilter (Aditya Bhasin)
>    4. A problem - connections dies (Peter Pohlmann)
>    5. vpn between networks with private ip network segment conflicts 
>(dtrott@xxxxxxxxxxxxx)
>    6. RE: upgrade to iptabels from ipchains (John Friel III)
>    7. Re: SOLVED : Re: where is libipt_match.so? (David T-G)
>    8. RE: upgrade to iptables from ipchains (John Friel III)
>    9. iptables/conntrack in enterprise environment. (Preston A. Elder)
>   10. Re: [netfilter-core] iptables/conntrack in enterprise environment. 
>(Preston A. Elder)
>
>--__--__--
>
>Message: 1
>Date: Tue, 27 May 2003 14:45:54 -0400
>From: Michael Carroll <ingenious@xxxxxxxx>
>To:  netfilter@xxxxxxxxxxxxxxxxxxx
>Subject: Need some clarity
>
>Hello netfilter development crew,
>
>I have a couple, probably straight foreward questions, but I don't know
>the answers to and would like to just to clear things up a little bit.
>
># Generated by iptables-save v1.2.7a on Tue Apr 15 14:25:35 2003
>*nat
>:PREROUTING ACCEPT [7595:344053]
>:POSTROUTING ACCEPT [80:4556]
>:OUTPUT ACCEPT [63:3755]
>COMMIT
>
>That is what is generated when I first do an 'iptables-save > /dir' now
>I was wondering what all the numbers inside those brackets stood for,
>because when I start to add rules to them those numbers start to change.
>They also add the user defined rules just before the COMMIT.  Does it
>matter in how you type out you iptables rules, like you should DROP
>everything first, then start to 'open' ports up correct?  Also one other
>thing what does the COMMIT mean?
>
>Thank you in advance.
>
>Michael Carroll
>
>
>
>
>--__--__--
>
>Message: 2
>Date: Tue, 27 May 2003 22:49:56 +0300 (EET DST)
>From: Ville Mattila <vm@xxxxxx>
>To: netfilter@xxxxxxxxxxxxxxxxxxx
>cc: Ville Mattila <vm@xxxxxx>
>Subject: Skipping connection tracking for certain traffic types?
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hello all,
>
>
>Correct me on this if I'm wrong: It is a feature of
>Netfilter that whenever conntrack is registered in
>kernel, then for example any UDP packet passing through
>the firewall causes the state table to be consulted
>resulting in either update of an old state entry if
>found or creation of a new state.
>
>Now if the description above holds we have a slight problem.
>
>At our site, connection tracking would be the nice way to
>handle the classic case of allowing responses to UDP
>requests initating from our internal network. The problem
>is that in the internal network there are several standalone
>(a.k.a. non-forwarding) caching nameservers sending about 100
>dns queries per second through the firewall in the worst case.
>For us the default ip_conntrack_proto_udp.c timeout setting
>of 30 seconds for unreplied UDP requests and 180 seconds
>for assured streams could mean from 3 000 up to 18 000 state
>entries for these dns requests alone.
>
>This problem would be solved if it was possible with
>Netfilter/iptables to skip connection tracking for some
>rules (servers sending dns queries and replies to them in
>our case), or better yet, not to track every connection by
>default but only when requested per rule. Is this kind
>of selective connection tracking possible already or will
>it possibly become supported in future conntrack versions?
>
>
>Best regards,
>Ville
>
>- --
>Mr. Ville Mattila, vm@xxxxxx, http://iki.fi/vm/
>
>-----BEGIN PGP SIGNATURE-----
>
>iD8DBQE+08FytUJlHUfTfMERAoqUAJ9IVa+SDTSH0RBpw62MQennyu2LfACgtbG0
>xlVPrOV87drR5C4KidXjOgI=
>=Me43
>-----END PGP SIGNATURE-----
>
>
>--__--__--
>
>Message: 3
>From: "Aditya Bhasin" <aditya.bhasin@xxxxxxxxxxxx>
>To: <netfilter@xxxxxxxxxxxxxxxxxxx>
>Subject: Usage of netfilter
>Date: Tue, 27 May 2003 15:17:15 -0700
>
>This is a multi-part message in MIME format.
>
>------=_NextPart_000_00D2_01C32463.0E9C9190
>Content-Type: text/plain;
>	charset="US-ASCII"
>Content-Transfer-Encoding: 7bit
>
>Hi,
>
>is it possbile using netfilter and libipq to extract a packet from the
>IPV4 stream, buffer it in the user space and then put the packet back on
>the outgoing stream at a later point in time.
>
>All the docs and examples I have looked at seem to read in a packet do
>an operation on it and then announce a verdit on the packet.
>
>Are there APIs to insert packets into the queue which have not been read
>from it. If that was allowed I could copy and reject initially and then
>insert again at a later point in time.
>
>
>thanks,
>
>aditya
>
>
>------=_NextPart_000_00D2_01C32463.0E9C9190
>Content-Type: text/html;
>	charset="US-ASCII"
>Content-Transfer-Encoding: quoted-printable
>
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
><HTML><HEAD>
><META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
>charset=3Dus-ascii">
><TITLE>Message</TITLE>
>
><META content=3D"MSHTML 6.00.2726.2500" name=3DGENERATOR></HEAD>
><BODY>
><DIV><FONT face=3DArial size=3D2><SPAN=20
>class=3D628311322-27052003>Hi,</SPAN></FONT></DIV>
><DIV><FONT face=3DArial size=3D2><SPAN=20
>class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
><DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>is it =
>possbile using=20
>netfilter and libipq to extract a packet from the IPV4 stream, buffer it =
>in the=20
>user space and then put the packet back on the outgoing stream at a =
>later point=20
>in time.</SPAN></FONT></DIV>
><DIV><FONT face=3DArial size=3D2><SPAN=20
>class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
><DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>All =
>the docs and=20
>examples I have looked at seem to read in a packet do an operation on it =
>and=20
>then announce&nbsp;a verdit on the packet. </SPAN></FONT></DIV>
><DIV><FONT face=3DArial size=3D2><SPAN=20
>class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
><DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>Are =
>there APIs to=20
>insert packets into the queue which have not been read from it. If that =
>was=20
>allowed I could copy and reject initially and then insert again at a =
>later point=20
>in time.</SPAN></FONT></DIV>
><DIV><FONT face=3DArial size=3D2><SPAN=20
>class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
><DIV><FONT face=3DArial size=3D2><SPAN=20
>class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
><DIV><FONT face=3DArial size=3D2><SPAN=20
>class=3D628311322-27052003>thanks,</SPAN></FONT></DIV>
><DIV><FONT face=3DArial size=3D2><SPAN=20
>class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
><DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>aditya =
>
></SPAN></FONT></DIV>
><DIV><FONT face=3DArial size=3D2><SPAN=20
>class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV></BODY></HTML>
>
>------=_NextPart_000_00D2_01C32463.0E9C9190--
>
>
>
>--__--__--
>
>Message: 4
>From: "Peter Pohlmann" <peter@xxxxxxxxxxxxx>
>To: <netfilter@xxxxxxxxxxxxxxxxxxx>
>Subject: A problem - connections dies
>Date: Tue, 27 May 2003 16:37:33 -0400
>
>This is a multi-part message in MIME format.
>
>------=_NextPart_000_0058_01C3246E.45EBF540
>Content-Type: text/plain;
>	charset="Windows-1252"
>Content-Transfer-Encoding: quoted-printable
>
>Hello list,
>
>I have a problem with my masquerading.=20
>Can someone supply me a basic configuration. I want to have the private =
>network
>open for everything.=20
>
>The current rules are below. Works for pop ,http etc. But ftp is not =
>proper and connecting to an outside=20
>smtp server is a problem too. I can send very small emails but if some =
>larger email or attachment it stops after transferring some kbs.  What =
>am I missing here ?  The server is redhat 9 pppoe to the dsl modem.
>
>#!/bin/sh
>
>modprobe ip_conntrack_ftp
>modprobe iptable_nat
>iptables -P INPUT ACCEPT
>iptables -P OUTPUT ACCEPT
>iptables -P FORWARD ACCEPT
>
>echo 1 >/proc/sys/net/ipv4/ip_forward
>echo 1 >/proc/sys/net/ipv4/ip_dynaddr
>
>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS =
>--clamp-mss-to-pmtu
>
>Thank you in advance,
>Peter
>
>
>
>
>------=_NextPart_000_0058_01C3246E.45EBF540
>Content-Type: text/html;
>	charset="Windows-1252"
>Content-Transfer-Encoding: quoted-printable
>
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
><HTML><HEAD>
><META http-equiv=3DContent-Type content=3D"text/html; =
>charset=3Dwindows-1252">
><META content=3D"MSHTML 6.00.2719.2200" name=3DGENERATOR>
><STYLE></STYLE>
></HEAD>
><BODY bgColor=3D#ffffff>
><DIV><FONT size=3D2>Hello list,</FONT></DIV>
><DIV><FONT size=3D2></FONT>&nbsp;</DIV>
><DIV><FONT size=3D2>I have a problem with my masquerading. </FONT></DIV>
><DIV><FONT size=3D2>Can someone supply me a basic configuration. I want =
>to have=20
>the private network</FONT></DIV>
><DIV><FONT size=3D2>open for everything. </FONT></DIV>
><DIV><FONT size=3D2></FONT>&nbsp;</DIV>
><DIV><FONT size=3D2>The current rules are below. Works for pop ,http =
>etc. But ftp=20
>is not proper and connecting to an outside </FONT></DIV>
><DIV><FONT size=3D2>smtp server is a problem too. I can send very small =
>emails but=20
>if some larger email or attachment it stops after transferring some =
>kbs.&nbsp;=20
>What am I missing here ?&nbsp; The server is redhat 9 pppoe to the dsl=20
>modem.</FONT></DIV>
><DIV><FONT size=3D2></FONT>&nbsp;</DIV>
><DIV><FONT size=3D2>#!/bin/sh</FONT></DIV>
><DIV>&nbsp;</DIV>
><DIV><FONT size=3D2>modprobe ip_conntrack_ftp<BR>modprobe =
>iptable_nat</FONT></DIV>
><DIV><FONT size=3D2>iptables -P INPUT ACCEPT<BR>iptables -P OUTPUT=20
>ACCEPT<BR>iptables -P FORWARD ACCEPT</FONT></DIV><FONT size=3D2>
><DIV><BR>echo 1 &gt;/proc/sys/net/ipv4/ip_forward<BR>echo 1=20
>&gt;/proc/sys/net/ipv4/ip_dynaddr</DIV>
><DIV>&nbsp;</DIV>
><DIV>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE<BR>iptables -A =
>FORWARD=20
>-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</DIV>
><DIV>&nbsp;</DIV>
><DIV>Thank you in advance,</DIV>
><DIV>Peter</DIV>
><DIV>&nbsp;</DIV>
><DIV><BR>&nbsp;</DIV></FONT></BODY></HTML>
>
>------=_NextPart_000_0058_01C3246E.45EBF540--
>
>
>
>--__--__--
>
>Message: 5
>Date: Wed, 28 May 2003 01:32:20 -0700
>From: <dtrott@xxxxxxxxxxxxx>
>To: drew.einhorn@xxxxxxxxxxxx
>Cc: netfilter@xxxxxxxxxxxxxxxxxxx
>Subject: vpn between networks with private ip network segment conflicts
>
>If:
>- You Don't need to access the whole remote network
>   (just a limited number of servers)
>- Those servers don't clash with anything on your local network
>   or its not too painful to move one or two hosts
>   so they don't clash.
>
>You may be able to kludge it with some proxy arping.
>
>You will need to have:
>- Both routers on non clashing addresses.
>- Both routers proxy arp for the other one.
>- Your local router will have to proxy arp for all the
>   servers you wish to access.
>- You will need to SNAT all outgoing VPN traffic to your
>   local routers IP (to avoid conflicts on the remote lan).
>
>Reverse local and remote for access in the oposite direction.
>
>Note: I have not tested all this together, the closest I
>have tried is:
>
>My home network uses:
>
>10.1.100.0/24
>
>My work network uses:
>
>10.1.0.0/16
>
>I proxy arp the subnet on the router at work, but my home router doesn't
>need to proxy arp or SNAT because the netmask is smaller and there are no
>conflicts on the work LAN.
>
>
>This will save you having to mess with the DNS, but to be honest I think
>the least painful route (in the long run) is just to re-number one of
>the networks.
>
>This is especially true if you are planing to do anthing with
>MS networking, because MS networking really doesn't like NAT.
>
>
>David
>
>
>PS If bi-directional access is not required you may be able to
>SNAT to a virtual IP (per some of the other posts), this will save
>the remote router from needing to proxy arp.
>
>
>Drew Einhorn Wrote:
> > My LAN uses network segments 192.168.0.0/24, 192.168.1.0/24, etc.
> > So does the remote network I need to vpn to (probably using some flavor
> > of pptp).
> >
> > Is there an odd nat variant that will solve this problem.
> > Probably need to do some kind of dns transformation on each side.
>
> > Is there any easy solution.  Perhaps it would be easier (but not easy)
> > to get the network segments renumbered on one end or the other.
> >
> > --
> > Drew Einhorn <drew.einhorn@xxxxxxxxxxxx>
>
>
>
>--__--__--
>
>Message: 6
>From: John Friel III <john@xxxxxxxxxxxx>
>To: "'netfilter@xxxxxxxxxxxxxxx'" <netfilter@xxxxxxxxxxxxxxx>
>Cc: =?iso-8859-1?Q?=27Leonardo_Rodrigues_Magalh=E3es=27?= 
><leolistas@xxxxxxxxxxxxxx>
>Subject: RE: upgrade to iptabels from ipchains
>Date: Wed, 28 May 2003 13:31:43 -0500
>
> >     would became this in iptables
> >
> > iptables -N soporte
> > iptables -A soporte -s 10.0.1.1 -j ACCEPT
> > iptables -A soporte -j DROP
> > iptables -A FORWARD -s 10.0.0.0/25 -j soporte
> > iptables -t nat -A POSTROUTING -s 10.0.1.1 -j MASQUERADE
>
>And it should be noted that with these rules in place, all packets that get
>forwarded to the soporte chain will get DROPPED because the forward rule
>only forwards IP's in the range of 10.0.0.0-10.0.0.127 and the accept range
>is restricted to -only- IP 10.0.1.1.
>
>The 4th rule should be:
>
>iptables -A FORWARD -s 10.0.0.0/16 -j soporte
>
>
>
>
>Cheers!
>John Friel III
>Frieltek Consulting, Inc.
>
>
>--__--__--
>
>Message: 7
>Date: Thu, 29 May 2003 01:08:22 -0400
>From: David T-G <davidtg@xxxxxxxxxxxxxxx>
>To: NetFilter Users' List <netfilter@xxxxxxxxxxxxxxxxxxx>
>Cc: George Vieira <georgev@xxxxxxxxxxxxxxxxxxxxxx>
>Subject: Re: SOLVED : Re: where is libipt_match.so?
>
>
>--RD6GsZsdEJvsf78O
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>Content-Transfer-Encoding: quoted-printable
>
>George --
>
>=2E..and then George Vieira said...
>%=20
>% no no no.. you've forgotten also the --state before mentioning the
>% states your checking..
>
>Ahhh...
>
>
>%=20
>%=20
>% *george searches his scripts*
>%=20
>% See.... as below..
>% $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>Well, this seems to work and not cause any errors, so it's good enough
>for me :-)
>
>
>%=20
>% Thanks,
>
>
>Thank *you*!
>
>:-D
>--=20
>David T-G                      * There is too much animal courage in=20
>(play) davidtg@xxxxxxxxxxxxxxx * society and not sufficient moral courage.
>(work) davidtgwork@xxxxxxxxxxxxxxx  -- Mary Baker Eddy, "Science and 
>Health"
>http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
>
>
>--RD6GsZsdEJvsf78O
>Content-Type: application/pgp-signature
>Content-Disposition: inline
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (FreeBSD)
>
>iD8DBQE+1ZXGGb7uCXufRwARAts7AJ48YyvICTtRce1iBuZDQAlGJ5gpxACeKKAn
>yIZfP04BuE1EdMkZZOn/EP0=
>=FHFS
>-----END PGP SIGNATURE-----
>
>--RD6GsZsdEJvsf78O--
>
>
>--__--__--
>
>Message: 8
>From: John Friel III <john@xxxxxxxxxxxx>
>To: "'netfilter@xxxxxxxxxxxxxxx'" <netfilter@xxxxxxxxxxxxxxx>
>Cc: =?iso-8859-1?Q?=27Leonardo_Rodrigues_Magalh=E3es=27?= 
><leolistas@xxxxxxxxxxxxxx>
>Subject: RE: upgrade to iptables from ipchains
>Date: Wed, 28 May 2003 13:37:33 -0500
>
> >     would became this in iptables
> >
> > iptables -N soporte
> > iptables -A soporte -s 10.0.1.1 -j ACCEPT
> > iptables -A soporte -j DROP
> > iptables -A FORWARD -s 10.0.0.0/25 -j soporte
> > iptables -t nat -A POSTROUTING -s 10.0.1.1 -j MASQUERADE
>
>And it should be noted that with these rules in place, all packets that get
>forwarded to the soporte chain will get DROPPED because the forward rule
>only forwards IP's in the range of 10.0.0.0-10.0.0.127 and the accept range
>is restricted to -only- IP 10.0.1.1.
>
>The 4th rule should be:
>
>iptables -A FORWARD -s 10.0.0.0/16 -j soporte
>
>
>
>
>Cheers!
>John Friel III
>Frieltek Consulting, Inc.
>
>
>--__--__--
>
>Message: 9
>From: "Preston A. Elder" <prez@xxxxxxxxxxxxx>
>Organization: Shadow Realm
>To: netfilter@xxxxxxxxxxxxxxxxxxx,
>	netfilter-devel@xxxxxxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx
>Subject: iptables/conntrack in enterprise environment.
>Date: Thu, 29 May 2003 01:13:47 -0400
>
>=2D----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi,
>
>I am in an enterprise environment and I'm having some problems with 
>conntra=
>ck=20
>specifically.
>
>We have a system that acts as a router, however any new inbound connection 
>=
>for=20
>any machine behind this router is re-directed to a specific port on the 
>loc=
>al=20
>machine, where an application responds as if it were the system behind the=
>=20
>router.  These systems experience some very high volumes of traffic=20
>(sustaining over 30mbit of traffic).  Heres a breakdown of TCP socket=20
>connections by status at one particular point in time:
>ESTABLISHED : 1363
>LAST_ACK    : 27
>TIME_WAIT   : 616
>=46IN_WAIT2   : 8
>=46IN_WAIT1   : 140
>SYN_RECV    : 6188
>CLOSE_WAIT  : 365
>LISTEN      : 3
>CLOSING     : 5
>
>We have multiple systems performing this task (essentially for load 
>balanci=
>ng=20
>and to remove a single point of faulure).  The systems are dual 1ghz 
>pentiu=
>m=20
>3's, with 1-2gb of ram, so they're not shy systems.  They're running 
>2.4.20=
>=20
>kernels (mostly vanilla) with iptables 1.2.7a.
>
>Here are some system limits I am tweaking (ie. the commands to do the=20
>tweaking):
>echo 1 >/proc/sys/net/ip_forward
>echo 524280 >/proc/sys/fs/file-max
>echo 524280 >/proc/sys/net/ipv4/ip_conntrack_max
>echo 65535 >/proc/sys/net/ipv4/ip_queue_maxlen
>echo 65535 >/proc/sys/net/ipv4/tcp_max_syn_backlog
>#     NONE    EST     SYN_S   SYN_R   FIN_W   TIME_W  CLOSE   CLOSE_W 
>LAST_=
>A =20
>LISTEN
>echo "1800    21600   120     60      30      30      10      30      30   
>=
>   =20
>120     " > /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts
>ulimit -H -n 524280
>ulimit -S -n 524280
>iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS=20
>=2D --clamp-mss-to-pmt
>
>
>Because every new connection to one of the systems 'behind' these systems 
>n=
>eed=20
>to be re-directed to a local port, which is achieved with the command:
>/sbin/iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp -d <ip-range>=20
>=2D --destination-port 1024:65535 --to-destination <local_ip>:<local_port>
>
>Every inbound connection incurs an entry in the connection tracking table. 
>=
>  It=20
>seems, however, that we may be overloading the conntrack system.  I can=20
>telnet to a different port listening on a secondary (internal) interface 
>(b=
>ut=20
>the same application), that bypasses the above rule, and get an 
>immediate=20
>connection, however establishing a connection 'to' a server behind this=20
>router can take a number of seconds, and sometimes may never establish. =20
>Whats more connecting directly to the port everything else is being=20
>re-directed to via. the 'public' interface itself can take some time 
>(thoug=
>h=20
>not as long as connecting 'to' a system behind this box).
>
>The conntrack table itself very quickly grows - but it does not clean 
>itsel=
>f=20
>up when the connection itself dissapears, instead it waits for some=20
>pre-determined timeout value, which means even though, as shown above, the=
>=20
>number of connections in-progress (one way or another) is about 8000=20
>connections, the conntrack table is absolutely huge (hundreds of thousands 
>=
>of=20
>entries), and as time goes on, the larger it gets.  To try to combat this,=
>=20
>I've reduced the biggest timer (how long an established connection stays 
>in=
>=20
>conntrack) from 5 days to 6 hours (all the connections we have are, and=20
>should be, short lived, so that is plenty of time).  This helps a bit,=20
>however I'm still at a loss to try to understand why conntrack does not 
>cle=
>an=20
>itself up when the connection gets closed.
>
>Of course, seeing how big the conntrack table is, itself, impacts the 
>syste=
>m=20
>dramatically.  The 'wc -l /proc/net/ip_conntrack' command takes a long 
>time=
>=20
>to run, and brings the 'active' processing to its knees while doing 
>this.=20
>=2D From all appearances, it appears conntrack is hamstringing us.  It 
>appe=
>ars it=20
>is not able to properly handle large-traffic systems, especially where=20
>essentially every connection going through the system is nat'd.
>
>I'd appreciate ANY help or thoughts on how to remedy this issue, as I have=
>=20
>said, this is in use in an enterprise environment (which of course, means 
>I=
>=20
>cannot divulge the purpose of the application I mentioned earlier (however=
>=20
>all you really need to know is the application does not really know (or 
>car=
>e)=20
>weather the connection to it is nat'd, and just uses it as a standard 
>socke=
>t=20
>connection), however I can give details on the system/kernel/netfilter=20
>configuration as necessary, just let me know what further information 
>you=20
>require).
>
>I thank you in advance, and apologise for mailing all 3 lists, however I=20
>figured someone on ONE of these lists would have an idea or a suggestion.
>
>=2D --=20
>PreZ
>Systems Administrator
>Shadow Realm
>
>PGP FingerPrint: B3 0C F3 32 DE 5A 7D 90  26 F6 FA 38 CC 0A 2D D8
>=46inger prez@xxxxxxxxxxxxx for full PGP public key.
>
>Shadow Realm, a hobbyist ISP supplying real internet services.
>http://www.srealm.net.au
>=2D----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.2 (GNU/Linux)
>
>iD8DBQE+1ZcVKFp14D8AGEQRAh4jAJ9mhilrpVsDvakS03re/HsT1jcXcwCcDqFT
>nHqa0y2UPb9s5JgRsGIhP8o=3D
>=3DbmA5
>=2D----END PGP SIGNATURE-----
>
>
>
>--__--__--
>
>Message: 10
>From: "Preston A. Elder" <prez@xxxxxxxxxxxxx>
>Organization: Shadow Realm
>To: Harald Welte <laforge@xxxxxxxxxxxxx>
>Subject: Re: [netfilter-core] iptables/conntrack in enterprise environment.
>Date: Thu, 29 May 2003 08:09:52 -0400
>Cc: netfilter@xxxxxxxxxxxxxxxxxxx,
>	netfilter-devel@xxxxxxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx
>
>=2D----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Thursday 29 May 2003 04:39 am, Harald Welte wrote:
> > On Thu, May 29, 2003 at 01:13:47AM -0400, Preston A. Elder wrote:
> > > Hi,
> > >
> > > I am in an enterprise environment and I'm having some problems with
> > > conntrack specifically.
> > >
> > > They're running 2.4.20 kernels (mostly vanilla) with iptables 1.2.7a.
> >
> > Do not use 2.4.20 if you want to use connection tracking.  2.4.20
> > connection tracking is totally broken due to a change introduced in the
> > core kernel.
> >
> > Please do always use patch-o-matic from CVS.  The patch you want to
> > apply for fixing this bug is 10_confirm_fix.patch
>This patch was applied already.  Infact, I'm using Gentoo (but using the=20
>'vanilla' kernel from gentoo, so its not got every patch under the sun), 
>an=
>d=20
>I specifically picked out and applied the followint patches:
>018_gcc31-compile-optimizations
>021_ecc-20020904
>701_iptables-20_iptables-proc
>702_iptables-24_conntrack-nosysctl
>722_iptables-tcplimit
>724_iptables-u32
>741_iptables-ip_conntrack_find
>742_iptables-ip_ct_refresh_optimization
>744_iptables-03_ip_conntrack_proto_tcp-lockfix
>747_iptables-06_ftp-conntrack-msg-fix
>748_iptables-07_ECN-tcpchecksum-littleendian-fix
>752_iptables-10_confirm_fix
>753_iptables-10_local-nat-expectfn
>759_iptables-24_conntrack-modify-after-free-fix
>760_iptables-25_ip_tables-comment-fix
>766_iptables-33_ipqueue_memoryleak
>764_iptables-31_nat_parse_fix
>770_iptables-ip_conntrack-timeouts
>900_quick-fixes
>902_minor_fixes
>
>Please let me know if you think one is missing I should try.
>
> > Also, considering
> >
> > > echo 524280 >/proc/sys/net/ipv4/ip_conntrack_max
> >
> > without using a larger hash size (modprobe ip_conntrack hashsize=3Dfoo,
> > wherer foo should be a prime number and in the range of 524280/2)
>I'll try this and report back.
>
> > > to be re-directed to a local port, which is achieved with the command:
> > > /sbin/iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp -d 
><ip-range>
> > > - --destination-port 1024:65535 --to-destination 
><local_ip>:<local_port>
> > >
> > > Every inbound connection incurs an entry in the connection tracking
> > > table.  It seems, however, that we may be overloading the conntrack
> > > system.
> >
> > I've seen systems with way more conntrack entries and higher bandwith.
> > Using NAT however, might have a big performance impact.
>Well, this system itself isn't doing 'nat', however, by implication, the 
>ab=
>ove=20
>rule makes every connection nat'd.
>
> > > The conntrack table itself very quickly grows - but it does not clean
> > > itself up when the connection itself dissapears, instead it waits for
> > > some pre-determined timeout value,
> >
> > With a non-broken kernel it is 2 minutes, that is TIME_WAIT of a TCP
> > socket.
>That was not my point.  My point was, for up to 5 days later, the system 
>st=
>ill=20
>has entries in the conntrack table (listed as 'ESTABLISHED'), which have 
>be=
>en=20
>dead and gone for a long time, conntrack does not realise that connection 
>i=
>s=20
>utterly closed, and it should drop its conntrack entry.  I'm not as 
>worried=
>=20
>about the lower-value timeouts, but as I said, I saw ALOT of established=20
>connections hanging around in the conntrack table (making the conntrack 
>tab=
>le=20
>about 200,000 entries long, give or take), most of which were entries 
>for=20
>connections already closed.
>
>=2D --=20
>PreZ
>Systems Administrator
>Shadow Realm
>
>PGP FingerPrint: B3 0C F3 32 DE 5A 7D 90  26 F6 FA 38 CC 0A 2D D8
>=46inger prez@xxxxxxxxxxxxx for full PGP public key.
>
>Shadow Realm, a hobbyist ISP supplying real internet services.
>http://www.srealm.net.au
>=2D----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.2 (GNU/Linux)
>
>iD8DBQE+1finKFp14D8AGEQRAmT5AJ48csFfxVIMJQykL5mhG7VQzx/79wCgjmQ1
>drFKsTbUeJ8F0EEicWgBosQ=3D
>=3DQWoJ
>=2D----END PGP SIGNATURE-----
>
>
>
>
>--__--__--
>
>_______________________________________________
>netfilter mailing list
>netfilter@xxxxxxxxxxxxxxxxxxx
>https://lists.netfilter.org/mailman/listinfo/netfilter
>
>
>End of netfilter Digest

_________________________________________________________________
MSN Fotos: la forma más fácil de compartir e imprimir fotos.  
http://photos.msn.es/support/worldwide.aspx





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux