5

in a multi-ISP configuration, I'm routing and NATing specific traffic, e.g. VoIP, through specific interface - to a distinct provider. When one of the interfaces (or routes) becomes unavailable, all connections that were using it have to be dropped, and subsequent traffic has to be routed through the still working connection. Upon change in the status, I'm resetting and loading appropriate iptables and routing entries (it is "shorewall restart" - I'm using shorewall).

The problem is - the still present conntrack entries cause that the old (and now wrong) external address is still being used for NAT for those connections! After 'conntrack -D', the NAT works as expected again.

I'd like to delete only the conntrack entries belonging to the old external address or to solve the problem in a way that wouldn't affect connections through other interfaces.

E.g. - I'd like to delete all conntrack entries having reverse connection destination dst=old.ext.ip.adr, like

udp 17 164 src=192.168.158.3 dst=213.208.5.40 sport=5060 dport=5060 packets=178 bytes=104509 src=213.208.5.40 dst=old.ext.ip.adr sport=5060 dport=5060 packets=234 bytes=127268 [ASSURED] mark=256 secmark=0 use=2

What i've already tried:

# conntrack -D -r 212.108.43.143
^C (nothing happens, it just hangs)
# conntrack -D -r 213.208.5.40 -d 212.108.43.143
Operation failed: such conntrack doesn't exist

Thank you in advance! Best regards, Zrin

Zrin
  • 597
  • 1
  • 5
  • 14

3 Answers3

5

The solution is given here.

I've got a similar task — to delete specific conntrack entries related to UDP connections going to specific Internet host and being SNAT'ed, so I created the following script:

#!/bin/sh

set -e -u

HUB=AAA.BBB.CCC.DDD # target host's IP address

value()
{
    echo ${1#*=}
}

/usr/sbin/conntrack -L conntrack -p udp -d $HUB |
    while read proto _ _ src dst sport dport _; do
       /usr/sbin/conntrack -D conntrack \
          --proto `value $proto` \
          --orig-src `value $src` \
          --orig-dst `value $dst` \
          --sport `value $sport` \
          --dport `value $dport`
done
Vargas
  • 143
  • 1
  • 8
kostix
  • 1,100
  • 1
  • 7
  • 13
0

Try,

conntrack -D --src-nat --reply-dst old.ext.ip.adr
user9517
  • 114,104
  • 20
  • 206
  • 289
  • 1
    It seems that conntrack does not accept --src-nat with -D (?) Do I understand correctly, that --src-nat would need the internal ip address as parameter? `# conntrack -D --src-nat ... conntrack v0.9.6: Illegal option '--src-nat' with this command Try 'conntrack -h' or 'conntrack --help' for more information.` – Zrin May 15 '12 at 08:54
0

Create a file called clrcontrack,paste the code below inside, give the user proper access, make it executable, the run it like "clrcontrack ip port" eg clrcontrack 192.168.56.123 80. It should clear all established state contrack records for port 80 on the ip. If you dont want to target state, remove the grep ESTAB part, or replace it accordingly to target whatever state

 /usr/sbin/conntrack -L |grep $1 | grep ESTAB |grep 'dport=$2' |
     awk '{ system("/usr/sbin/conntrack -D --orig-src '$1' --orig-dst " 
     substr($6,5) " -p tcp --orig-port-src " substr($7,7) " --orig-port-dst $2");}';
Dudus
  • 1
  • 2