Questions tagged [conntrack]
71 questions
0
votes
1 answer
iptables dos limit for all ports
I know how to use limit conntrack option to allow for DoS protection. However, I want to add a protection to limit no more than say 50 connections for each port. How can I do this?
Basically, I want to make sure that each port can have no more than…
user101130
0
votes
3 answers
conntrack -L does not show any connection
I am writing a utility which will use Conntrack commands to show the connection states. I am a beginner and I wanted to play with the Conntrack before I could start my work. So, when I tried conntrack -L conntrack, I get the output which says there…
![](../../users/profiles/97888.webp)
SeattleOrBayArea
- 143
- 1
- 2
- 7
0
votes
1 answer
How can I allowing all established incoming connections without conntrack?
I want to make my iptables accepted all stablished incoming connections,
but I don't have conntrack in my system so I can't run:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
It is possible to make it happened with something…
![](../../users/profiles/978533.webp)
Yosef
- 3
- 1
0
votes
0 answers
why allowing established incoming connections doesn't work?
I am trying to allowing all established incoming connections in my iptables using this command:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
but I get this error message:
"iptables-restore v1.8.4 (legacy): Couldn't load match…
![](../../users/profiles/978533.webp)
Yosef
- 3
- 1
0
votes
0 answers
Disable connection tracking
I'm on Ubuntu 22.04 and I would like to disable connection tracking for UDP port 123, so I tried:
firewall-cmd --direct --add-rule ipv4 raw PREROUTING 1 -p udp --dport 123 -j NOTRACK
firewall-cmd --direct --add-rule ipv4 raw OUTPUT 1 -p udp --sport…
![](../../users/profiles/132470.webp)
Maestro
- 255
- 1
- 2
- 8
0
votes
0 answers
conntrack events(conntrack -E) show 0.0.0.0 as source and destination addresses
These are the logs down below.
[DESTROY] udp 17 src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0 packets=3 bytes=216 [UNREPLIED] src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0 packets=0 bytes=0
[NEW] udp 17 30 src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0…
0
votes
0 answers
What is the need for task(pid)-specific conntrack statistics in /proc?
When I tried to find ip_conntrack of nf_conntrack files in /proc on my server I found I bunch of files, which are for some reason specific per-pid,…
![](../../users/profiles/600326.webp)
narotello
- 95
- 7
0
votes
1 answer
iptables FTP connection tracking not working
I am hoping someone can point me in the right direction here please.
Running proftpd (with tls support) on a public IP.
FTP client connects, but can't do a directory listing. When I change the "INPUT" policy on iptables to ACCEPT, it does work.
The…
0
votes
1 answer
How conntrack and network namespaces works together?
Is nf_conntrack respects network namespaces? Does it creates a separate table for each network namespace based on its sysctl limits, or does it share memory (and limits) between different network namespaces?
I've searched a lot, but wasn't able to…
![](../../users/profiles/205197.webp)
George Shuklin
- 226
- 2
- 7
0
votes
3 answers
How to prevent netfilter to automatically change the source ports
I observed that netfilter changes the source port when a connection is established in the conntrack module. I need to prevent this behavior.
Here is what I have done to reproduce my problem:
I create a netfilter rule that will perform DNAT from…
0
votes
1 answer
route ipv4 to ipv6 as mechanism to overcome not owning an ipv4 block for load balancing purposes on premise k8s (none aws/gcp)
This is not a question about tunnelling, although that may be part of a solution.
With public cloud providers it's trivial to request a load balancer due to providers owning large class A/B/C public IPv4 blocks. However, whilst it's trivial to own…
![](../../users/profiles/125827.webp)
user885983
- 153
- 1
- 4