[Firehol-support] Disable ip_conntrack table

Costa Tsaousis costa at tsaousis.gr
Mon Dec 17 20:12:59 GMT 2007 

Costa Tsaousis wrote:
> From the iptables manual:
>
> raw:
> This  table  is  used mainly for configuring exemptions from connection 
> tracking in combination with the NOTRACK target.  It registers at the 
> netfilter hooks with higher priority  and  is  thus  called before  
> ip_conntrack, or any other IP tables.  It provides the following 
> built-in chains: PREROUTING (for packets arriving via any network 
> interface) OUTPUT (for packets generated by local processes).
>
> Give it a try by appending these commands to firehol.conf:
>
> ---
>
> # make sure we route traffic without without state information
> # this means that routers in firehol.conf are just disabled.
> iptables -t filter -I FORWARD -j ACCEPT
>
> # create a new chain
> # we need this in order to write rules to exclude local traffic from NOTRACK
> iptables -t raw -N notracking
>
> # redirect all traffic to the new chain
> iptables -t raw -A PREROUTING -j notracking
>
> # exclude all traffic coming in from eth0 and going to the local machine
> iptables -t raw -A notracking -i eth0 -d the.ip.of.this.host.on.eth0 -j 
> RETURN
> iptables -t raw -A notracking -i eth0 -d the.broadcast.ip.of.eth0 -j RETURN
>
> # exclude all traffic coming in from eth1 and going to the local machine
> iptables -t raw -A notracking -i eth1 -d the.ip.of.this.host.on.eth1 -j 
> RETURN
> iptables -t raw -A notracking -i eth1 -d the.broadcast.ip.of.eth1 -j RETURN
>
> # exclude the generic broadcast address
> iptables -t raw -A notracking -d 255.255.255.255 -j RETURN
>
> # exclude multicast targets
> iptables -t raw -A notracking -d 224.0.0.0/8 -j RETURN
> iptables -t raw -A notracking -d 239.0.0.0/8 -j RETURN
>
> # if the traffic reaches this point, it is routed traffic - disable the 
> connection tracker
> iptables -t raw -A notracking -j NOTRACK
>
> ---
>
> Of course replace the names of the IPs above, with your real IPs.
> To see the generated list, and how it matches traffic, run this:
>
> iptables -t raw -nxvL
>
> You should see that the RETURN rules match some traffic, and that the 
> NOTRACK rule at the end matches traffic too.
>
> When you start it, give it some time for the connection tracking list to 
> shrink (the connections already in the connection tracker list will, 
> most probably, not just disappear - only the new ones will not be 
> written to the list - so the existing connections will have to 
> close/timeout to be removed from the list).
>
> Please let us know if it works.
>
> Costa
>   
Hm! You may need to set this in your kernel config:

CONFIG_NETFILTER_XT_TARGET_NOTRACK

Costa

More information about the Firehol-support mailing list