Highest Voted 'nf-conntrack' Questions - Server Fault Stack Exchange

1

vote

1 answer

ufw without connection tracking

I am using ufw on a high traffic webserver (lot of http/https traffic) on ubuntu (12.04 or 14.04). I tried tuning kernel parameters related to connection tracking with some success. However, thinking about it, I don't do NAT, therefore I don't think…

iptables ufw nf-conntrack

asked Oct 16 '15 at 10:26

Arnaud Potier

123
6

1

vote

1 answer

Configuring IPTables without connection tracking module

Usually connection tracking is required for outbound connections to allow established connections back in, for instance: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT I don't have connection tracking enabled on my server so I was…

iptables nf-conntrack

asked Dec 18 '14 at 19:29

HTF

3,050
14
49
78

1

vote

1 answer

Debugging HAProxy

I have tested / been testing a server cluster locally for quite a while with no problem. I have recently set my server cluster up for a live test, and I have noticed problems, and believe that the HAProxy in my cluster may be running into some…

ubuntu ubuntu-12.04 haproxy nf-conntrack

asked Oct 08 '13 at 16:22

Eumcoz

217
3
8

1

vote

0 answers

net.netfilter.nf_conntrack_helper=1 a security risk?

For a public file archive with an anonymous ftp server (vsftpd) I need to restore passive ftp, which ceased to work after upgrading Ubuntu 16 LTS to 18 LTS some time ago (with 20 to follow). Previous answers around the SE network indicate that in…

ubuntu-18.04 ufw vsftpd nf-conntrack

asked May 24 '21 at 12:13

AliasX1

11
2

1

vote

0 answers

Apache keeps TCP Connection in CLOSE-WAIT state for 600 Seconds

iptables tcp apache2 conntrack nf-conntrack

asked Feb 05 '21 at 21:09

bit151

43
1
7

1

vote

1 answer

Do we need conntrack for Load Balancer server?

I have 3 private dedicated server as Load balancer. And then there is IP Addr Public sign to this private dedicated server. Suddenly, one of these 3 LB servers got nf_conntrack: table full, dropping packet My dedicated server spec is 32 Core; 256…

load-balancing conntrack nf-conntrack

asked Mar 26 '20 at 09:05

Nicky Puff

11
1

0

votes

1 answer

ip_conntrack_max not found

I did reconfigure /etc/sysctl.conf net.ipv4.netfilter.ip_conntrack_max = 65536 net.nf_conntrack_max = 65536 net.netfilter.nf_conntrack_tcp_timeout_established = 600 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established =…

conntrack nf-conntrack

asked Mar 20 '17 at 08:47

auc

21
1
4

0

votes

0 answers

nf_conntrack_ftp module has disappearedl

I've been running a Linode droplet for several years with no problems. In the last month, users have reported FTP connection errors, always related to Passive FTP. Investigation shows that the nf_conntrack_ftp module is no longer loaded. We use…

iptables ftp linode kernel-modules nf-conntrack

asked Dec 10 '16 at 03:05

Ryan Griggs

885
2
12
27

0

votes

1 answer

How to use conntrack to allow SIP traffic

I have the following problem: Device (eth0)----> SWITCH(trunk)+VLAN120 ---> (PC1) +VLAN200 ---> (PC2) I am able to ping from PC1 to PC2 which are in different SUBNETS as above: Using NAT rules in iptables as below…

iptables linux-networking sip conntrack nf-conntrack

asked Jul 20 '15 at 10:36

RootPhoenix

113
3
8

0

votes

1 answer

Limiting outgoing connections by port to control nf_conntrack usage

I would like to make my system more resilient against certain failure. When the system makes rapid outbound TCP connections fail, the nf_conntrack table fills up with TIME_WAIT entries. This causes other operations on the system to fail as…

iptables time-wait nf-conntrack

asked Mar 04 '14 at 02:55

nhed

520
1
6
13

0

votes

0 answers

How to avoid port duplication when using iptable for DNAT

I configure the iptable output chain DNAT conversion by the following command. iptables -t nat -A OUTPUT -p tcp --dport 5000 -j DNAT --to 10.100.1.10:2048 When I link 10.100.20.4:5000 on the client 10.100.30.5, the traffic is successfully forwarded…

linux iptables firewall dnat nf-conntrack

asked Aug 12 '22 at 08:19

HK S

1

0

votes

0 answers

Disable connection tracking

I'm on Ubuntu 22.04 and I would like to disable connection tracking for UDP port 123, so I tried: firewall-cmd --direct --add-rule ipv4 raw PREROUTING 1 -p udp --dport 123 -j NOTRACK firewall-cmd --direct --add-rule ipv4 raw OUTPUT 1 -p udp --sport…

iptables firewalld nftables conntrack nf-conntrack

asked Jun 21 '22 at 10:32

Maestro

255
1
2
8

0

votes

0 answers

conntrack events(conntrack -E) show 0.0.0.0 as source and destination addresses

These are the logs down below. [DESTROY] udp 17 src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0 packets=3 bytes=216 [UNREPLIED] src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0 packets=0 bytes=0 [NEW] udp 17 30 src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0…

linux iptables linux-networking conntrack nf-conntrack

asked Jan 19 '22 at 16:19

jatinBatra

1

0

votes

1 answer

Should I do the stateful matching with iptables for nat table?

I often see that there are some stateful matching rules in a iptables' chain such as INPUT. I known what they are doing, and I'm interested in that Should I do the same for the chains of the table NAT? For example, in my home router, I want it…

iptables firewall router nat nf-conntrack

asked Nov 14 '21 at 19:49

Leon

159
7

0

votes

1 answer

iptables FTP connection tracking not working

I am hoping someone can point me in the right direction here please. Running proftpd (with tls support) on a public IP. FTP client connects, but can't do a directory listing. When I change the "INPUT" policy on iptables to ACCEPT, it does work. The…

iptables ftp proftpd conntrack nf-conntrack

asked Sep 27 '21 at 10:25

Robert Schmitt

1

Questions tagged [nf-conntrack]