[Firehol-support] Disable ip_conntrack table

Costa Tsaousis costa at tsaousis.gr
Mon Dec 17 21:08:47 CET 2007 

Sim wrote:
>> a. policy accept
>>
>> router wan2lan inface eth0 outface eth1
>>         policy accept
>>
>> there is no need to define the opposite router.
>>
>>     
>
> Hi Costa,
> this is the output with "policy accept" for "router"
>
>
> FireHOL: Saving your old firewall to a temporary file:     [  OK  ]
> FireHOL: Processing file /etc/firehol/firehol.conf:
> --------------------------------------------------------------------------------
> ERROR #: 1
> WHAT   : Creating chain 'out_wan2lan' under 'FORWARD' in table 'filter'
> WHY    : Primary command is 'router' but 'interface' is required.
> COMMAND: policy accept
> SOURCE : line 90 of /etc/firehol/firehol.conf
>
>
> NOTICE: No changes made to your firewall.
>                                                            [FAILED]
>   
Your firehol is too old. Use a recent release for this to work.

>> b. Use "anystateless" instead of "all"
>>
>> router wan2lan inface eth0 outface eth1
>>         server anystateless route1 accept
>>         client anystateless route2 accept
>>
>>     
>
> No error but without good results:
>
> # cat /proc/net/ip_conntrack  | wc -l
> 20312
>
>   
>> c. Just append this iptables command to your firehol.conf:
>>
>> iptables -t filter -A FORWARD -j ACCEPT
>>
>>     
>
> Another result with no error, but with connection tracker  at work
>
> # cat /proc/net/ip_conntrack  | wc -l
> 21734
>
>   

 From the iptables manual:

raw:
This  table  is  used mainly for configuring exemptions from connection 
tracking in combination with the NOTRACK target.  It registers at the 
netfilter hooks with higher priority  and  is  thus  called before  
ip_conntrack, or any other IP tables.  It provides the following 
built-in chains: PREROUTING (for packets arriving via any network 
interface) OUTPUT (for packets generated by local processes).

Give it a try by appending these commands to firehol.conf:

---

# make sure we route traffic without without state information
# this means that routers in firehol.conf are just disabled.
iptables -t filter -I FORWARD -j ACCEPT

# create a new chain
# we need this in order to write rules to exclude local traffic from NOTRACK
iptables -t raw -N notracking

# redirect all traffic to the new chain
iptables -t raw -A PREROUTING -j notracking

# exclude all traffic coming in from eth0 and going to the local machine
iptables -t raw -A notracking -i eth0 -d the.ip.of.this.host.on.eth0 -j 
RETURN
iptables -t raw -A notracking -i eth0 -d the.broadcast.ip.of.eth0 -j RETURN

# exclude all traffic coming in from eth1 and going to the local machine
iptables -t raw -A notracking -i eth1 -d the.ip.of.this.host.on.eth1 -j 
RETURN
iptables -t raw -A notracking -i eth1 -d the.broadcast.ip.of.eth1 -j RETURN

# exclude the generic broadcast address
iptables -t raw -A notracking -d 255.255.255.255 -j RETURN

# exclude multicast targets
iptables -t raw -A notracking -d 224.0.0.0/8 -j RETURN
iptables -t raw -A notracking -d 239.0.0.0/8 -j RETURN

# if the traffic reaches this point, it is routed traffic - disable the 
connection tracker
iptables -t raw -A notracking -j NOTRACK

---

Of course replace the names of the IPs above, with your real IPs.
To see the generated list, and how it matches traffic, run this:

iptables -t raw -nxvL

You should see that the RETURN rules match some traffic, and that the 
NOTRACK rule at the end matches traffic too.

When you start it, give it some time for the connection tracking list to 
shrink (the connections already in the connection tracker list will, 
most probably, not just disappear - only the new ones will not be 
written to the list - so the existing connections will have to 
close/timeout to be removed from the list).

Please let us know if it works.

Costa

More information about the Firehol-support mailing list