[Firehol-support] Disable ip_conntrack table
costa at tsaousis.gr
Mon Dec 17 20:12:59 GMT 2007
Costa Tsaousis wrote:
> From the iptables manual:
> This table is used mainly for configuring exemptions from connection
> tracking in combination with the NOTRACK target. It registers at the
> netfilter hooks with higher priority and is thus called before
> ip_conntrack, or any other IP tables. It provides the following
> built-in chains: PREROUTING (for packets arriving via any network
> interface) OUTPUT (for packets generated by local processes).
> Give it a try by appending these commands to firehol.conf:
> # make sure we route traffic without without state information
> # this means that routers in firehol.conf are just disabled.
> iptables -t filter -I FORWARD -j ACCEPT
> # create a new chain
> # we need this in order to write rules to exclude local traffic from NOTRACK
> iptables -t raw -N notracking
> # redirect all traffic to the new chain
> iptables -t raw -A PREROUTING -j notracking
> # exclude all traffic coming in from eth0 and going to the local machine
> iptables -t raw -A notracking -i eth0 -d the.ip.of.this.host.on.eth0 -j
> iptables -t raw -A notracking -i eth0 -d the.broadcast.ip.of.eth0 -j RETURN
> # exclude all traffic coming in from eth1 and going to the local machine
> iptables -t raw -A notracking -i eth1 -d the.ip.of.this.host.on.eth1 -j
> iptables -t raw -A notracking -i eth1 -d the.broadcast.ip.of.eth1 -j RETURN
> # exclude the generic broadcast address
> iptables -t raw -A notracking -d 255.255.255.255 -j RETURN
> # exclude multicast targets
> iptables -t raw -A notracking -d 184.108.40.206/8 -j RETURN
> iptables -t raw -A notracking -d 220.127.116.11/8 -j RETURN
> # if the traffic reaches this point, it is routed traffic - disable the
> connection tracker
> iptables -t raw -A notracking -j NOTRACK
> Of course replace the names of the IPs above, with your real IPs.
> To see the generated list, and how it matches traffic, run this:
> iptables -t raw -nxvL
> You should see that the RETURN rules match some traffic, and that the
> NOTRACK rule at the end matches traffic too.
> When you start it, give it some time for the connection tracking list to
> shrink (the connections already in the connection tracker list will,
> most probably, not just disappear - only the new ones will not be
> written to the list - so the existing connections will have to
> close/timeout to be removed from the list).
> Please let us know if it works.
Hm! You may need to set this in your kernel config:
More information about the Firehol-support