[gentoo-user] ip_conntrack - is it missing

[gentoo-user] ip_conntrack - is it missing

[reader]

I'm working my way thru this document:
http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls

  Somewhere in this part: #Should_I_take_this_tutorial
    (add it to the above url)

Once there scan for the work /proc and a few hits will get you to this
line: (emphasis is mine)

   If you've already rebooted and are using your new netfilter-enabled
   kernel, you can view a list of active network connections that your
   machine is participating in by typing 
   
  "cat/proc/net/ip_conntrack". 

   Even with no firewall configured, Linux's
   conntrack functionality is working behind the scenes, keeping track
   of the connections that your machine is participating in. 

I don't see that on a machine where I've tried to pick every iptable
and contrack setting for the kernel I could find.  Including the ones
on that page that are still around.

   find /proc -iname '*conntrack*'
or even
   find /proc -iname '*con*'

Turns up nothing even close.  Does it mean I'm still missing something
in the kernel build? or is it just baloney or out of date?

It claims you should see this even if you aren't running iptables yet

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] ip_conntrack - is it missing

[Johann Schmitz]

reader@newsguy.com schrieb:
> Turns up nothing even close.  Does it mean I'm still missing something
> in the kernel build? or is it just baloney or out of date?

Hi,

you can simply check our kernel config by typing:

  cat /usr/src/linux/.config | grep -i conntrack

IIRC, there should be the lines

 CONFIG_NF_CONNTRACK_ENABLED=m
 CONFIG_NF_CONNTRACK=m
 CONFIG_NF_CONNTRACK_IPV4=m

with either 'm' or 'y'.

Sometimes the order of enabling functions in the kernel matter to see all iptables
options. The conntrack options are located under

Networking -> Networking support -> Networking options -> Network packet filtering
framework (Netfilter) -> Core Netfilter -> Configuration -> Netfilter Xtables support
(required for ip_tables) -> "conntrack" connection tracking match support.

Hope you can guess what it want to say - english isn't my native lang, and it is early in
the morning ;)

Best regards,

Johann

-- 
Johann Schmitz
http://www.j-schmitz.net

-- 
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] Re: ip_conntrack - is it missing

[reader]

Johann Schmitz <johann@j-schmitz.net> writes:

> reader@newsguy.com schrieb:
>> Turns up nothing even close.  Does it mean I'm still missing something
>> in the kernel build? or is it just baloney or out of date?
>
> Hi,
> you can simply check our kernel config by typing:
>
>   cat /usr/src/linux/.config | grep -i conntrack 
>
> IIRC, there should be the lines

Yes but what about the comment in the HOWTO:

"cat/proc/net/ip_conntrack". 
   Even with no firewall configured, Linux's conntrack functionality
   is working behind the scenes, keeping track of the connections that
   your machine is participating in.

I see:
 grep -i ^[^#].*conntrack /usr/src/linux/.config

  CONFIG_NF_CONNTRACK_ENABLED=m
  CONFIG_NF_CONNTRACK=m
  CONFIG_NF_CONNTRACK_MARK=y
  CONFIG_NF_CONNTRACK_SECMARK=y
  CONFIG_NF_CONNTRACK_EVENTS=y
  CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
  CONFIG_NF_CONNTRACK_IPV4=m
  CONFIG_NF_CONNTRACK_PROC_COMPAT=y


But do NOT see what that HOWTO refers to (/proc/net/ip_conntrack)

[...]

> Hope you can guess what it want to say - english isn't my native
> lang, and it is early in the morning ;)

English is my native language and you are considerably better at it
than I am.  That may not be much of a compliment though because I'm an
illiterate hill-billy.

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: ip_conntrack - is it missing

[Etaoin Shrdlu]

On Monday 7 January 2008, reader@newsguy.com wrote:

> I see:
>  grep -i ^[^#].*conntrack /usr/src/linux/.config
>
>   CONFIG_NF_CONNTRACK_ENABLED=m
>   CONFIG_NF_CONNTRACK=m
>   CONFIG_NF_CONNTRACK_MARK=y
>   CONFIG_NF_CONNTRACK_SECMARK=y
>   CONFIG_NF_CONNTRACK_EVENTS=y
>   CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
>   CONFIG_NF_CONNTRACK_IPV4=m
>   CONFIG_NF_CONNTRACK_PROC_COMPAT=y
>
>
> But do NOT see what that HOWTO refers to (/proc/net/ip_conntrack)

Sorry for the dumb question...you have compiled conntrack as a module, 
but is that module (or modules) actually loaded (you can check with 
lsmod)? If not, loading the module should also create the file in /proc.

The module should be called nf_conntrack (load it with modprobe 
nf_conntrack). If not, look into /lib/modules/`uname -r`, look for 
modules with conntrack in the name, and load them.
-- 
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] Re: ip_conntrack - is it missing

[reader]

Etaoin Shrdlu <shrdlu@unlimitedmail.org> writes:

>> I see:
>>  grep -i ^[^#].*conntrack /usr/src/linux/.config
>>
>>   CONFIG_NF_CONNTRACK_ENABLED=m
>>   CONFIG_NF_CONNTRACK=m
>>   CONFIG_NF_CONNTRACK_MARK=y
>>   CONFIG_NF_CONNTRACK_SECMARK=y
>>   CONFIG_NF_CONNTRACK_EVENTS=y
>>   CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
>>   CONFIG_NF_CONNTRACK_IPV4=m
>>   CONFIG_NF_CONNTRACK_PROC_COMPAT=y
>>
>>
>> But do NOT see what that HOWTO refers to (/proc/net/ip_conntrack)
>
> Sorry for the dumb question...you have compiled conntrack as a module, 
> but is that module (or modules) actually loaded (you can check with 
> lsmod)? If not, loading the module should also create the file in /proc.

The question wasn't dumb.. but the operator on this end sure is.

My only defense is that the HOWTO doesn't mention any of that.
However I do know that would be necessary.  When I saw your suggestion
I knew immediately I'd been a dope...... again.

Should I have compiled them directly into the kernel?

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: ip_conntrack - is it missing

[Etaoin Shrdlu]

On Monday 7 January 2008, reader@newsguy.com wrote:

> Should I have compiled them directly into the kernel?

Well, this is usually a matter of debates. For iptables stuff, I 
generally compile everything into the kernel, but I'm sure there are 
people who can find good reasons for using modules. So, it's ultimately 
up to you. 

If you want iptables to be active and working all the time, then I think 
you can compile its stuff into the kernel. It would be nice if someone 
who uses modules also showed his reasons for keeping it as modules, so 
you could get a better picture and make a more informed decision.
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: ip_conntrack - is it missing

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1753 bytes --]

On Monday 07 January 2008, Etaoin Shrdlu wrote:
> On Monday 7 January 2008, reader@newsguy.com wrote:
> > Should I have compiled them directly into the kernel?
>
> Well, this is usually a matter of debates. For iptables stuff, I
> generally compile everything into the kernel, but I'm sure there are
> people who can find good reasons for using modules. So, it's ultimately
> up to you.
>
> If you want iptables to be active and working all the time, then I think
> you can compile its stuff into the kernel. It would be nice if someone
> who uses modules also showed his reasons for keeping it as modules, so
> you could get a better picture and make a more informed decision.

# ls -la /proc/net/ip_conntrack
-r--r----- 1 root root 0 Jan  8 08:34 /proc/net/ip_conntrack
# cat /proc/net/ip_conntrack
#
# ls -la /proc/net/nf_conntrack
-r--r----- 1 root root 0 Jan  8 08:40 /proc/net/nf_conntrack
# cat /proc/net/nf_conntrack
#

I'm currently on the train with no internet connection.  Both of the above 
files are empty.  On the other hand when online they show my current 
connections.  The above has been compiled into my kernel.  I used to compile 
iptables stuff as modules, but only a few of them these days.  The reason was 
that I did not know which I was going to use and therefore I could modprobe 
them later on as and when required.  The other reason (that I never actually 
put into practice) was to patch the kernel with the latest & greatest iptable 
modules updates and modprobe accordingly.  If you know what you need in terms 
of iptables kernel options go with the built-in-kernel choice; if not, 
built-as-modules could be better - unless you prefer a fat kernel for no 
reason.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]