| |
| |
| |
|
Page: 1 2 3
Comments:
<0> trappist: mate
<0> how are Ja lad ?
<0> b8zs: listen to what trappist: has to say ... he knows his stuff =)
<1> heya hard__ware
<0> althogh SNAT + DNAT can still be very handy for doing Transpareny Between Clients and Server on a LAN (if requireD)
<0> trappist: ive finnally started my own chan ...
<0> #hardwall
<1> cool :)
<0> dedicating some serious time to making a version of hardwall for embeded devices =)
<0> desiged to work woth busybox ... ect
<2> Hi, is there a way to clean up full contracck table, something like: If connectio_table > 1000000 entries, then cleam; ?
<0> lol
<0> i spose
<0> could use ip_conntrack_cutter what ever its name is
<0> it can delete entries
<1> bryndza: with a pre-2.6.14 kernel, flush all your rules and modprobe -r ip_conntrack. with 2.6.14 comes a partially-supported userspace interface to manipulate the conntrack table.
<0> trappist: legend =)
<2> no ip_conntrack_cutter :(
<2> trappist how about 2.6.15 ?
<0> you will have to find the src on the net =)
<1> there's an app called cutter, but it doesn't mess with the conntrack table directly
<2> hard__ware i can`t find anything about ip_conntrack_cutter
<0> bryndza: anyways you more gotta look at , why do you have so many in the first place ?
<3> 2.6.15 is not a pre-2.6.14 kernel last I checked :)
<0> so you need to consider dropping some of your ip_conntrack timeouts ?
<1> bryndza: they wrote a m***ive netlink interface for the conntrack table, and ***ociated userspace tools, in 2.6.14 and did away with it in 2.6.15
<2> hard__ware big metropolitan network, with many stupis kids an viruses and spyware
<1> (kidding)
<3> whew :)
<0> bryndza: but still
<0> is it becasue ... you have too many dead connections being tracked ?
<0> default timeout for TCP is 5 days
<0> make it 2hours =)
<1> I don't recall what the default conntrack timeout is, but I'm pretty sure it's a lot more than most people need
<3> conntrack(8) will only be supported in even-numbered releases ... 2.6.14, 2.6.16 ;)
<1> hard__ware: I don't think it's 5 days
<0> it is mate
<2> no, in few second the conntract table grows from ~ 50 000 entries to over 1 000 000
<0> look ... brb
<1> bryndza: so it's not a timeout issue
<2> and dual opteron router goes into ****
<1> bryndza: up your ip_conntrack_max ?
<0> cat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
<2> there is no problem with the max value, but with so many conntracks, the soft interupts are to high
<1> hard__ware: wow, you win
<0> yup yup
<0> tighten the lot of em bryndza
<1> bryndza: you might want to consider preventing some of those connections from getting established in the first place. namely, p2p bull****.
<0> echo "7200" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
<2> it look like some type of attack, portscan, or just botnet of viruses
<0> trappist: was about to say that too ... ipp2p .. modules work well here
<2> the p2p is shaped
<2> we dob`t want to block p2p
<1> bryndza: the appropriate solutions is probably to identify the source and stop it
<0> screw shapped ... how about >/dev/null =P
<2> we are ane freely ISP :)
<2> i like p2p :)
<0> bryndza: damm
<1> bryndza: well, if the connections are due to p2p connections and you don't want those to go away and you have too many connections, we're starting to get to where you throw hardware at the issue. more routers.
<0> bryndza: go though the entire path cat /proc/sys/net/ipv4/netfilter/ ... tune them to your need
<1> bryndza: then again, why are you doing connection tracking?
<0> trappist: yeah ...
<0> was thinking just that ....
<2> trappist NAT
<0> oh ... dang ,,,
<0> bryndza: all connections NATd ?
<1> bryndza: don't need conntrack for most nat stuff. ftp and irc dcc mostly.
<1> unless by nat you mean masquerade
<2> we hawe 256 external addresess for over 12 000 clients
<2> so ...
<0> yup thought so
<0> ive had to deal with that before ...
<0> we did it on a Dual Athlon MP 1800 + System /w 4 GB of RAM
<0> alsowas a 3-way bridge ....
<1> I don't know a silver-bullet solution for that. I think you either need more routers to deal with the connections, or more ip addresses so you can forget about the connections.
<2> ok, we dont have problenm that there is 2 or 5 milions of conntrack
<0> it was just about the only way we could Firewall / Fix Network desgin Flaws + stop insane connections
<2> but we have problem that the routert freezes
<0> im sure you do ...
<2> stop working and hard restart is needed
<4> hi there
<0> seriously though ... i think your overloading it ...
<0> kernel conntrack hases would be getting smashed by the p2p
<2> so what you say, that we make some IDS to track insane connections ?
<0> i think so ...
<0> maybee somethink like Snort + Guardian
<2> right now there are 22K conntrack entries, and everithing is OK, ut sometime, randomly, once a day,,10time aday, insane conntracks are made
<2> we tried snort on some minor router in the network
<0> like 150 K ?
<2> but the result were to general
<2> hard__ware like 1M
<2> 150K is OK
<0> wholly **** doode
<0> 1M is not normall
<2> yeah, is brutal
<0> 150 K flows will destroy allot of miss configured routers
<2> 150K for so big network is normal, i think
<0> Ja ... 150 K /w Conntrack that is ...
<2> howe ever, when there are 500K everything works good
<0> No Conntrack should pull off 1Million
<2> but the conntrack over 1M are deadly, maybe when the router didnt died, it would be greater number
<0> well seroiusly
<0> i think its getting so high over a period, becasue of dead connections being tracked
<0> get iptstate ....
<2> sometimes the conntrack grow over time
<2> but 95% the conntracks grow in one minute or so
<2> it look like DDOS
<0> do ipstate -ts ... then have a look at all your established connections , any bellow 119:00:00
<1> bryndza: ooh! enable syncookies
<2> first we were thinkking about viruses or spyware
<0> yup ... that too .. i always use Syn Cookies
<2> but even after firewalling them on lower router did nothing
<0> if you have 10,000 connnections lets say bellow 80:00:00 pretty same to say they are dead
<0> lol safe ...
<0> bryndza: try enable Syn Cookies ... echo 1 > /proc/sys/net/ipv4/tcp_syncookies
<0> prolly is a DDoS ... and maybe not even target at you ... the router just happens to be in its path =P
<0> HiHo HiHo , its off to work i go ...
<0> Cyas =)
<2> yeah, the router before the main gw, goes down to :(
<2> it`s imposibble to track or log all connections
<2> what about the syn cookies, to je think thats the type of DDOS ?
<1> syncookies should help stop bogus syn packets, such as from port scans, from creating established connections
<2> ok, monday we try some games with firewall and syncookies
<2> MaxAverageCurrent
<2> conntrack:3615.1 kips569.7 kips 154.5 kips
<2> :(
<5> can anybody recommend a good iptables script
<5> I need a script that supports NAT and port forwarding
<3> dampjam: I used to use MonMotha's. But if you want to learn iptables, it's not really that hard. The HOWTO in /topic and the ones at netfilter.org might help.
<6> with every chain ACCEPT
<6> and DNAT all -- anywhere 192.168.1.1 to:172.16.10.10
<7> The answer is 11
<6> shouldn't i be receiving packets from 192.168.1.1 ?
<6> I am 172.16.10.10
<7> Kupal[]_: nope
<6> what am i missing?
<7> DNAT rewrites DEST address
<6> I have masquerade aswell.
<7> that's for outgoing packets
<6> so what should i have for a dmz?
<6> ie. wan is 192.168.1.1
<6> how do i get all the packets from my wan if to 172.16.10.10
<6> i take it " iptables -t nat -A PREROUTING -d 192.168.1.45 -j DNAT --to-destination 172.16.10.10" ain't gonna cut it.
<8> I currently have a forwarding rule which drops packets (I discriminate on port number). Can I somehow make an exception for this for a certain IP>
<7> Do an ASCII diagram of your network setup and explain what you're trying to do - pastebin it
<7> @ Kupal[]_
<7> SWAT: add and ACCEPT rule for that IP before the DROP rule
<8> can I somehow switch the numbers of the rules?
<6> pastepin.com ?
<7> yea
Return to
#iptables
or
Go to some related
logs:
mathematica bad interpreter
ubuntu bittorrent block ip
logitech mx500 xorg
#physics
gdt in c
wikipedia amplitude yo
linux
gentoo MK_QTDIR
#css
fd0 totem codec fedora
|
|