Problems getting NOTRACK to do anything at all

Marcel Laverdet <marcel@xxxxxxxxxxxx> · Fri, 02 Oct 2009 07:40:48 -0500

For some reason I can't seem to get the NOTRACK iptables rule to do
anything at all. Can anyone make sense of the following session which I
think describes the problem better than words could. The session below was
carried out on a reasonably busy server, and I didn't waste much time in
between each command.

fantasma marcel # iptables-save
# Generated by iptables-save v1.4.2 on Fri Oct  2 07:28:30 2009
*filter
:INPUT ACCEPT [3195003:612499850]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2555099:4249706524]
COMMIT
# Completed on Fri Oct  2 07:28:30 2009
# Generated by iptables-save v1.4.2 on Fri Oct  2 07:28:30 2009
*raw
:PREROUTING ACCEPT [3604504:692724983]
:OUTPUT ACCEPT [2885938:4764142471]
COMMIT
# Completed on Fri Oct  2 07:28:30 2009

fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc
grep: /proc/net/ip_conntrack: No such file or directory
      0       0       0

fantasma marcel # iptables -t raw -A PREROUTING -i lo -j NOTRACK

fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc
grep: /proc/net/ip_conntrack: No such file or directory
      0       0       0

fantasma marcel # modprobe nf_conntrack_ipv4

fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc
     74    1405   14295

fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc
    178    3381   34425

fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | tail
tcp      6 114 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44537
dport=11211 packets=9 bytes=1164 src=127.0.0.1 dst=127.0.0.1 sport=11211
dport=44537 packets=8 bytes=948 [ASSURED] mark=0 use=1
tcp      6 113 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44462
dport=11211 packets=11 bytes=2003 src=127.0.0.1 dst=127.0.0.1 sport=11211
dport=44462 packets=10 bytes=1936 [ASSURED] mark=0 use=1
tcp      6 117 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44742
dport=11211 packets=8 bytes=477 src=127.0.0.1 dst=127.0.0.1 sport=11211
dport=44742 packets=7 bytes=1535 [ASSURED] mark=0 use=1
tcp      6 115 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44621
dport=11211 packets=9 bytes=837 src=127.0.0.1 dst=127.0.0.1 sport=11211
dport=44621 packets=8 bytes=621 [ASSURED] mark=0 use=1
tcp      6 119 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44851
dport=11211 packets=8 bytes=477 src=127.0.0.1 dst=127.0.0.1 sport=11211
dport=44851 packets=7 bytes=1535 [ASSURED] mark=0 use=1
tcp      6 115 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44599
dport=11211 packets=9 bytes=837 src=127.0.0.1 dst=127.0.0.1 sport=11211
dport=44599 packets=8 bytes=621 [ASSURED] mark=0 use=1
tcp      6 117 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44714
dport=11211 packets=13 bytes=849 src=127.0.0.1 dst=127.0.0.1 sport=11211
dport=44714 packets=12 bytes=5310 [ASSURED] mark=0 use=1
tcp      6 113 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44501
dport=11211 packets=12 bytes=5103 src=127.0.0.1 dst=127.0.0.1 sport=11211
dport=44501 packets=12 bytes=39594 [ASSURED] mark=0 use=1
tcp      6 119 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44865
dport=11211 packets=8 bytes=477 src=127.0.0.1 dst=127.0.0.1 sport=11211
dport=44865 packets=7 bytes=1535 [ASSURED] mark=0 use=1
tcp      6 113 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44479
dport=11211 packets=9 bytes=1193 src=127.0.0.1 dst=127.0.0.1 sport=11211
dport=44479 packets=8 bytes=977 [ASSURED] mark=0 use=1

fantasma marcel # iptables -t raw -A PREROUTING -s 127.0.0.1 -j NOTRACK

fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc
   1698   32261  327594

fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc
   1733   32926  334299

fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc
   1782   33852  343672

As you can see I've tried NOTRACK'ing both lo and 127.0.0.1 and the rules
just seem to be NOOP's.

Any help would be appreciated. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html