I have the following problem: Device (eth0)—-> SWITCH(trunk)+VLAN120 —> (PC1) +VLAN200 —> (PC2) I am able to ping from PC1 to PC2 which are in different SUBNETS as above: Using NAT rules in iptables as below since they are in diferent SUBNETS iptables -t nat -A POSTROUTING -o eth0.120 -j MASQUERADE iptables -t nat -A … Read more
I’ve been running a Linode droplet for several years with no problems. In the last month, users have reported FTP connection errors, always related to Passive FTP. Investigation shows that the nf_conntrack_ftp module is no longer loaded. We use this module to allow iptables to properly handle passive ftp connections. Apparently this module has vanished … Read more
These are the logs down below. [DESTROY] udp 17 src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0 packets=3 bytes=216 [UNREPLIED] src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0 packets=0 bytes=0 [NEW] udp 17 30 src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0 [UNREPLIED] src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0 [NEW] udp 17 30 src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0 [UNREPLIED] src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0 [DESTROY] udp 17 src=0.0.0.0 dst=0.0.0.0 sport=0 dport=0 … Read more
I would like to make my system more resilient against certain failure. When the system makes rapid outbound TCP connections fail, the nf_conntrack table fills up with TIME_WAIT entries. This causes other operations on the system to fail as there are no more nf_conntrack entries available. I know that it is possible to modify certain … Read more
I did reconfigure /etc/sysctl.conf net.ipv4.netfilter.ip_conntrack_max = 65536 net.nf_conntrack_max = 65536 net.netfilter.nf_conntrack_tcp_timeout_established = 600 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 600 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 90 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 90 After sysctl -p, I have received; sysctl: cannot stat /proc/sys/net/ipv4/netfilter/ip_conntrack_max: No such file or directory net.nf_conntrack_max = 65536 sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established: No such file or directory sysctl: cannot stat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established: No such … Read more
I am hoping someone can point me in the right direction here please. Running proftpd (with tls support) on a public IP. FTP client connects, but can’t do a directory listing. When I change the “INPUT” policy on iptables to ACCEPT, it does work. The following is my relevant iptables rules: $IPTABLES -A INPUT -i … Read more
I often see that there are some stateful matching rules in a iptables’ chain such as INPUT. I known what they are doing, and I’m interested in that Should I do the same for the chains of the table NAT? For example, in my home router, I want it accepts ssh, and also acts as … Read more
My setup consists of two apache servers like in this diagram: |Apache | >==Reverse Proxy Connection====> |Apache | |Server1| <==Response through conntrack==< |Server2| After a successful HTTP connection from Server 1 to Server 2, the latter sends a TCP [FIN,ACK] packet. This packet is properly acknowledged by Server 1 with a TCP [ACK] packet. The … Read more
For a public file archive with an anonymous ftp server (vsftpd) I need to restore passive ftp, which ceased to work after upgrading Ubuntu 16 LTS to 18 LTS some time ago (with 20 to follow). Previous answers around the SE network indicate that in addition to configuring connection tracking in the kernel and firewall, … Read more
I’ve been investigating a special issue on our docker host server (17.09.0-ce) and found that every 3-5 minutes, many connections disappear from /proc/net/nf_conntrack causing the client side of the connection to time out. I’m on CentOS 6. I didn’t see any special packets that may cause this behavior (I used tshark). I don’t see any … Read more
