And the following document for conntrack-tool all talked about:
"established TCP connections can be cut or blocked by removed entrance
in /proc/net/ip_conntrack"
http://conntrack-tools.netfilter.org/about.html
http://conntrack-tools.netfilter.org/manual.html
However I removed the entrance by timeout or manually by conntrack -D,
none worked.
I am just wondering whether conntrack only works for tracing event, no
functionality for filtering at all?
On 2011-11-25 11:41, lu zhongda wrote:
Hi, Gao Feng:
First thanks for your response!
I set the two timeout to their corresponding value:
echo 60 >
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 0 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
The ESTABLISHED item for port 9999 was inserted after connection
created and removed after 60 seconds timeout.
Using tool conntrack supplied by iptables also proved this:
conntrack -E
[DESTROY] tcp 6 src=192.168.2.194 dst=192.168.2.166
sport=41570 dport=9999 packets=4 bytes=218 src=192.168.2.166
dst=192.168.2.194 sport=9999 dport=41570 packets=3 bytes=166
However netstat indicated that the physical connection was still
there and the communication between two endpoints was not blocked or
dropped.
netstat -an | grep 9999
tcp 0 0 192.168.2.166:9999
192.168.2.194:41570 ESTABLISHED
The state related rule set in my configuration did not work at all:
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j LOG --log-prefix
"conn established::"
-A INPUT -p tcp -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j LOG --log-prefix "DROP invalid::"
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
The communication was not affected by the rules and no log in
/var/log/iptables.log.
For an explanation, I redirected my Linux kernel log to
/var/log/iptables.log
However other rule in /etc/sysconfig/iptables did logged file, log
found in /var/log/iptables.log
-A INPUT -p tcp -m tcp --dport 9999 -j LOG --log-prefix "ACCEPT
9999::"
I attached my iptables rule set for reference.
Hope you can give me another hint and related rule set.
Thanks for your support.
On 2011-11-25 9:14, Gao feng wrote:
于 2011年11月24日 17:46, lu zhongda 写道:
The timeout is defined in
//proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/
, which is defaulted to 5 days, I change it to a short value for
testing, such as 1 min.
the linux shell command is: echo "60">
//proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established/
The timeout for ESTABLISHED type item does works, and the item
is removed after timeout, however the connection is not blocked or
dropped at all.
Hi zhongda.
How about echo 0> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
