Dear Roman, how can i set conntrack liberal globally (via proc)? Best Regards, ========================== Khaled J. Hussein Senior System Engineer Bisan Systems Ltd. Tel: +970-22985941 Fax: +970-22985942 Web: www.bisan.com Email: khaled@xxxxxxxxx ========================== On Thu, 2010-04-01 at 16:20 +0200, Roman Fiedler wrote: > Khaled Hussein wrote: > > Dear All, > > > > I am running a machine with diskless boot, it is running CentOS, i have problem with iptables, when i restart iptables i lost connection with NFS server so i lost my hard disks and machine become unreachable, this happened when i use DROP as default policy on INPUT and OUTPUT and FORWARD chains, i tried to use mangle table with default ACCEPT on these chains but the same, if i changed default policy to ACCEPT on above chains, so is there any way to avoid this problem > > I had same problem with autosetup thingy recently. I think that the following fixed the problem for me (and not something else, that I overlooked while tuning the configs): > > * Set conntrack liberal globally (via proc) > > * Load minimal iptables set with accept on all chains (which is as secure as having no rules, like before, so nothing lost) > > * Make sure to have traffic on all connections your want to keep alive, netfilter seems to create conntracks for them (you might use the conntrack tools for the same work also). In your case you might open a file, you haven't read yet to force NFS traffic. > > * Switch to your final ruleset, that has a --state ESTABLISHED -j ACCEPT at the beginning of each chain (I loaded with iptables-restore to avoid glitches that might kill a connection) > > * Disable conntrack liberal > > The final rules were strict, with output filtering and stateful connection tracking. > > Hope this is helpful, > ************* This message has been scanned for viruses and dangerous content by Bisan Systems Ltd MailScanner, and is believed to be clean. Bisan Systems Ltd does not represent that any attachment is free from computer viruses or defects and the user assumes all responsibility for any loss, damage or consequence resulting directly or indirectly from the use of any attachment. The information contained in any email does not necessarily reflect the views of Bisan systems or any other related entities or persons. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
