Conntrack shows no result

Question

I tried the command conntrack -L and it returns nothing when I have a ping www.google.com running.

I also tried to load the module by modprobe nf_conntrack. But it still always returns conntrack v1.0.0 (conntrack-tools): 0 flow entries have been shown.

Any one know what would be the solution?

I have the same result on Ubuntu 18.04. Although I load nf_conntrack_ipv4, nf_conntrack, nf_conntrack_netlink module, `conntrack -L` returns `0 flow entries have been shown`. Do you resolve this issue? — tnrgus, Jun 05 '18 at 06:41

score 3 · Answer 1 · edited Aug 10 '19 at 17:47

3

Try adding iptables rules with conntrack states for ex:

iptables -A INPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

It worked for me.

edited Aug 10 '19 at 17:47

Michael Hampton

237,123
42
477
940

answered Aug 10 '19 at 14:07

kathiravan kathir

31
1

As written, this rule would allow all traffic. It is probably not desirable to include NEW in here. – Michael Hampton Aug 10 '19 at 17:48
worked for me too. But why? – tinyhare Jun 30 '20 at 08:08
@tinyhare that's because `conntrack` module is not loaded by default. To have a `conntrack` table, you should have `conntrack` module loaded and also have relevant `iptables` rules. It's a lazy behavior I think. Conntrack won't be active unless required. – therealak12 Feb 10 '22 at 03:48
for nftables user，add ct state rule to a ‘type filter hook input’ base chain： nft add rule inet filter_example input_example ct state established,related accept – tinyhare Jun 20 '22 at 02:58

score 2 · Answer 2 · answered Nov 10 '14 at 14:32

2

The conntrack tool won't return a flow because, by the time your ping command has ended the flow has been terminated.

Create a persistent TCP connection to something on the Internet and do a conntrack -L and you'll see a flow. You could also send some ping requests to an Internet host that doesn't respond-- you'll see a flow created (waiting for the ICMP echo replies that will never come) that way, too.

answered Nov 10 '14 at 14:32

Evan Anderson

141,071
19
191
328

Hi Evan, I tried to use nmap to generate some TCP connects as well and I am sure there are flows since I have wireshark on at the same time. Just don't know why couldn't see anything in conntrack – manxing Nov 10 '14 at 14:37
1

`nmap` isn't really a good tool to use on the `iptables` machine itself to generate test flows because, depending on the arguments, it may be using raw sockets to increase performance (or to do "evil" things that the kernel IP stack won't do). – Evan Anderson Nov 10 '14 at 14:39
@manxing rather than using nmap, use good ol' telnet instead. E.g.: `telnet www.google.com 80` – pepoluan Nov 11 '14 at 03:45

score 0 · Answer 3 · answered Jun 20 '22 at 03:43

adding iptables rules worked，and nftables is instead of the legacy {ip,ip6,arp,eb}_tables (xtables) infrastructure.

for nftables you can do it like this：

add ct state rule to a type filter hook input chain

nft add table inet filter_example
nft add chain inet filter_example input_example {type filter hook input priority filter\; policy accept\;}
nft add rule inet filter_example input_example ct state established,related accept

Conntrack shows no result

3 Answers3