[Firehol-support] Disable ip_conntrack table

Costa Tsaousis costa at tsaousis.gr
Fri Dec 14 20:47:18 GMT 2007 

Sim wrote:
> Hi!
> I have this simple config with 2 ethernet.
> There isn't NAT from eth0 to eth1 and from eth1 to eth0, or rules from
> two ethernet, but my ip_conntrack show this:
>
> # cat /proc/net/ip_conntrack | wc -l
> 18222
>
>
> I'm afraid for future! Can I disable policy from two ethernet and use
> my linux box as router without limits and with security only for
> service over it?
>
> Thanks!
> Sim
>
> ################################################################
> interface eth0 wan
>
>         # The default policy is DROP. You can be more polite with REJECT.
>         policy drop
>
>         protection strong
>
>         # Here are the services listening on bond0.
>         server ping accept
>         server "http" accept src "x.x.x.x."
>
>         # The following means that this machine can REQUEST anything via bond0.
>         client all accept
>
>
> interface eth1 lan
>
>         # The default policy is DROP. You can be more polite with REJECT.
>         policy drop
>
>         # > protection strong
>
>         # Here are the services listening on bond1.
>         server ping accept
>         server http accept
>         server "ssh" accept src "x.y.x.y"
>
>         # The following means that this machine can REQUEST anything via bond1.
>         client all accept
>
> ############################################################################################
>
> router wan2lan inface eth0 outface eth1
>
>         route all accept
>
>
> router lan2wan inface eth1 outface eth0
>
>         route all accept
>   
Sim,

/proc/net/ip_conntrack shows all the connections registered in the 
iptables connection tracker. Depending on the services you offer, the 
number of 18.000 entries in that list may be too small or too big.

You can increase the upper limit by running:

sysctl -w net.nf_conntrack_max=1048576

I don't know if you can disable the connection tracker completely for 
some of the traffic (routed traffic in your example).
You can try these:

a. policy accept

router wan2lan inface eth0 outface eth1
	policy accept

there is no need to define the opposite router.


b. Use "anystateless" instead of "all"

router wan2lan inface eth0 outface eth1
	server anystateless route1 accept
	client anystateless route2 accept


c. Just append this iptables command to your firehol.conf:

iptables -t filter -A FORWARD -j ACCEPT


I don't believe however that the connection tracker will stop functioning. Possibly the only way to disable the connection tracker is not to load the kernel module at all (which is not possible with firehol).

Please share with us your findings...

Costa

More information about the Firehol-support mailing list