Highest Voted 'ip-conntrack' Questions - Unix and Linux Stack Exchange

7

votes

0 answers

Multicast ICMPv6 comes back with conntrack state invalid

I was playing arround with the Multicast feature of IPv6. $ ping ff02::2%wlp3s0 This should normally result in an echo-reply from all the routers on your local network segment (Wikipedia - IPv6). So in my case my home router. However, I found out…

asked Jan 10 '19 at 22:29

Hermilton

171
2

6

votes

1 answer

Is there a way to have NPTv6 with connection tracking on Linux?

Apparently, the implementation of NPTv6 (Network Prefix Translation for IPv6) which is currently in Linux kernel is incompatible with connection tracking. This is quite disappointing, since I feel that NPTv6 is much more sane solution that NAT66,…

ipv6 ip-conntrack

asked Dec 18 '16 at 14:08

haimg

230
2
8

6

votes

2 answers

MySQL has over 95,000 connections but processlist is empty?

I have a server that is running mysql and it's using a lot of memory. I run: mysql > show status like '%onn%'; +--------------------------+-------+ | Variable_name | Value | +--------------------------+-------+ | Aborted_connects …

mysql mysql-connection ip-conntrack

asked Nov 03 '14 at 18:12

Cody

245
1
9

5

votes

1 answer

How long does conntrack remember a connection?

From this link it seems that conntrack remembers a connection for X seconds after it is closed. Does anybody know how long that X is and if it is configurable?

linux-kernel ip-conntrack

asked Jun 11 '19 at 20:35

Fabrizio Barcaroli

53
1
1
4

5

votes

1 answer

connlimit counters start over after iptables restored

I have a connlimit rule in iptables that allow only 5 connection to port 80. iptables -A FORWARD -p tcp -m tcp --syn --dport 80 -m connlimit --connlimit-above 5 --connlimit-saddr -j DROP This rule works fine till I restore iptables. After…

iptables firewall ip-conntrack

asked Dec 23 '15 at 08:45

ibrahim

1,067
8
17

2

votes

0 answers

Docker overlay network connection between containers lags simetimesin multiples of 1s

Two containers talking to each other on overlay network with high traffic (connection frequency) occasionally got connection lag almost exact multiple of 1s. It doesn't matter whether it is same host both containers are running or it goes between…

docker network-namespaces ip-conntrack

asked Apr 09 '22 at 05:18

DevilaN

1,918
10
17

2

votes

0 answers

Tagging outgoing packets with iptables

Is there any possibility to mark outgoing packets with iptables and recognize them by the response? I have a very simple outgoing rule: iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED --m owner --uid-owner XXX -j ACCEPT One way to…

iptables ownership tagging ip-conntrack

asked Aug 02 '19 at 13:35

BufferOverflow

323
1
3
14

2

votes

1 answer

nf_conntrack_sip does not work SOMETIMES, restarting iptables USUALLY fixes it

I'm trying to use nf_conntrack_sip on box that is running Asterisk, that is, not routing traffic for another VoIP box. Setup works until I reboot. After reboot nf_conntrack_sip ALMOST always stops working and media traffic is dropped. conntrack…

iptables sip ip-conntrack

asked Aug 08 '18 at 16:34

AnyDev

719
8
19

2

votes

1 answer

conntrack entries details

I amreading the documentation of Iptables about the connection tracking here and I have troubles figuring the following part, highlited by me: tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 \ dport=22 [UNREPLIED] src=192.168.1.9…

iptables ip-conntrack

asked Oct 25 '17 at 15:26

Tu.Ma.

123
1
6

2

votes

0 answers

Does Linux still enforce a connection tracking limit?

We've recently upgraded to Ubuntu 16.04 (kernel 4.4) and I've noticed some new behavior regarding net.netfilter.nf_conntrack_max. In the past (with 12.04 running 3.2) if you hit nf_conntrack_max you wouldn't be able to establish any new connections.…

linux iptables firewall ip-conntrack

asked Apr 21 '17 at 13:23

marcantonio

141
2

1

vote

0 answers

How to install Netfilter / enable conntrack events?

I have come across this repo and struggle to understand these steps. I believe this is to enable the Netfilter conntrack events, but I'm not sure. What do I have to run to get these…

debian netfilter ip-conntrack

asked Sep 21 '22 at 09:35

Houman

187
1
9

1

vote

1 answer

Porting Iptables to Nftables firewall with conntrack marks

Hi dear esteemed community, I'm having a hard time porting my very functional iptables firewall to nftables. No issues with input/output/forward stuffs, it's mainly the conntrack marking. What I currently do is the following: 1/ I create three…

iptables routing nftables ip-conntrack

asked Aug 14 '21 at 13:57

Kameo

13
4

1

vote

1 answer

Conntrack and dynamic ipset/iptables rules

I don't understand some basic concepts of conntrack module. First of all, I'm sure it's enabled in my system (Ubuntu 18.04), modinfo shows info about nf_conntrack and /proc/modules file tells nf_conntrack is "live". Second, I have the following test…

networking iptables ipset ip-conntrack

asked Jun 03 '19 at 10:13

Groosha

285
1
2
9

1

vote

1 answer

Is there any way to view nfmark like ctmark?

I understand that iptables --set-mark does not add mark "on" the packets. The MARK target is for associating a mark with the packet in the kernel data structures. The packet itself is not modified. But is there any way to view the packet with its…

iptables netfilter ip-conntrack

asked Feb 10 '19 at 16:05

Sourav Ghosh

113
1
8

1

vote

0 answers

iptables connlimit-above allowing more connections than desired

I'm trying to set a per-ip connection limit on a kubernetes node using iptables connlimit. Since each container on the VM has a different source IP (overlay net), using connlimit should work. I added the rule iptables -I FORWARD 1 -p tcp --syn -m…

iptables netfilter ip-conntrack

asked Jul 24 '18 at 02:46

George Braxton

11
1

Questions tagged [ip-conntrack]