1

I am using ufw on a high traffic webserver (lot of http/https traffic) on ubuntu (12.04 or 14.04).

I tried tuning kernel parameters related to connection tracking with some success.

However, thinking about it, I don't do NAT, therefore I don't think I need connection tracking at least for the connections on port 80 or 443.

I tried following the directions from this question with adaptations, that is:

sudo iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK

and my raw table looks like:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
NOTRACK    tcp  --  anywhere             anywhere             tcp dpt:http

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

To test that it all works, I request an nginx instance on the machine using wrk using 3 threads and 1000 connections .

wrk -t 3 -c 1000 "http://<server_ip>/"

As those are not supposed to be tracked, I should not see them on the conntrack count

However, I do...

sudo sysctl -A | grep net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 1035

I can clearly see this value going up and down as I run the test.

What am I doing wrong?

Community
  • 1
Arnaud Potier
  • 123
  • 6
  • 1
    http://serverfault.com/questions/72366/how-do-i-disable-the-nf-conntrack-kernel-module-in-centos-5-3-without-recompilin ? – Martynas Saint Oct 16 '15 at 10:28
  • This is not quite what I am looking for, as I want to disable them only on 80 and 443. This will disable connection tracking entirely. I will give it a shot if I can't find anything else though. Thanks for the tip! – Arnaud Potier Oct 16 '15 at 11:01

1 Answers1

2

You need an OUTPUT rule, too. 

-t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
-t raw -A OUTPUT -p tcp --sport 80 -j NOTRACK
womble
  • 95,029
  • 29
  • 173
  • 228
Mike Crews
  • 21
  • 3