Not able to see connection entries in ip_conntrack file!!
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Not able to see connection entries in ip_conntrack file!!
Hi to all,
I'm trying to see the connections established on a firewall by looking at the contents of the file ip_conntrack by using this command:
Code:
cat /proc/net/ip_conntrack
The rules used on the firewall are:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.10.0/24 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
I have chosen all the modules related to connection tracking in my 2.6.20.4 kernel on the firewall machine. I'm using iptables 1.3.7 and Fedora Core 5.
okay, can you confirm whether or not connection tracking (and packet filtering in general) is actually working on the box?? because if it is not, then that's the core issue we would need to address, not the fact that nothing is showing-up in ip_conntrack... if it *is* working please explain the test you performed...
did you recompile iptables after the kernel compile?? it sounds like you manually changed your kernel config's netfilter section, which would make recompiling iptables (while running the new kernel) a pretty sane idea... anyhow, it's just a thought, i'm not saying this is your cause or anything...
BTW, here's what my known-good (ubuntu 7.04 default) netfilter kernel config looks like, in case you wanna compare (i'm on kernel 2.6.20.x also):
Code:
win32sux@candystore:~# cat /boot/config-2.6.20-15-generic | grep "CONFIG_NETFILTER"
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
win32sux@candystore:~#
on a side note, your FORWARD rule is using the same network in its -d and -s matches... a host on the same network as the destination hosts wouldn't use a router/gateway/firewall for the connection...
Last edited by win32sux; 05-11-2007 at 08:31 PM.
Reason: added grep for IPTABLES...
I tried to check if connection tracking was working. I did lsmod and found that non of the ip_conntrack modules were loaded. I guess that's why connection tracking isn't working. But I noticed one thing - when I boot in the default kernel of Fedora Core 5 (2.6.15..), the modules are there when I do lsmod, but when I boot in the 2.6.20.4 kernel, they are not present, although I checked all the options relating to netfilter and connection tracking.
I don't know if this has to do with SELinux modules..I've had many problems while installing new software. I tried to change SELinux to"permissive mode" and even disabled the firewall settings in the system-config-security dialog box..but still connection tracking wont work.
What do I do from here?
Warm regards,
Visham
Last edited by vishamr2000; 05-09-2007 at 01:53 PM.
I tried to check if connection tracking was working. I did lsmod and found that non of the ip_conntrack modules were loaded. I guess that's why connection tracking isn't working. But I noticed one thing - when I boot in the default kernel of Fedora Core 5 (2.6.15..), the modules are there when I do lsmod, but when I boot in the 2.6.20.4 kernel, they are not present, although I checked all the options relating to netfilter and connection tracking.
you did the "make modules" and "make modules_install", right??
you did the "make modules" and "make modules_install", right??
Yes i did. Normally I do this:
Code:
make && make modules_install && make install
otherwise I wouldnt be able to boot with the new kernel. Do you think it's SELinux that is causing these problems. Do I have to change some kind of context?
Last edited by vishamr2000; 05-10-2007 at 01:39 AM.
I have built the iptables modules in my 2.6.20.4 kernel itself. Is that what might be causing the fact that I am unable to see the contents of the ip_conntrack file? Should I select the options as modules?
I have built the iptables modules in my 2.6.20.4 kernel itself. Is that what might be causing the fact that I am unable to see the contents of the ip_conntrack file?
if you get the option of choosing module or built-in then it *should* work either way... but yeah, sometimes stuff won't work right as a module or vice-versa... you need to test...
Quote:
Should I select the options as modules?
it wouldn't hurt to try and see if that fixes your issue... most distro kernels i've seen come with all of this as modules, much like the config i posted above... BTW: to be on the safe side, i'd suggest recompiling iptables after you've booted your new kernel...
It works when I compile the things required for connection tracking as modules, and not as part of the kernel image.
Many many thx to you win32sux..really appreciated your effort n patience to help me out.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.