Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:netfilter_iptables:netfilter_management [2018/09/16 12:49] – ↷ Links adapted because of a move operation bobafetthotmaildocs:guide-user:firewall:netfilter_iptables:netfilter_management [2018/09/18 21:07] dturvene
Line 68: Line 68:
  
 To fix this, append your LOG rule to the ''forwarding_rule'' chain. To fix this, append your LOG rule to the ''forwarding_rule'' chain.
 +
 +===== Conntrack Diagnostics =====
 +Many netfilter features, especially NAT, depend on the ''nf_conntrack'' modules to track
 +IP connections between the WAN-side and the LAN-side.  Access to the conntrack tables can be
 +invaluable when debugging traffic rules.  The kernel presents the table
 +through the [[https://en.wikipedia.org/wiki/Procfs|procfs filesystem]]
 +at ''/proc/net/nf_conntrack''.
 +
 +Here is a typical conntrack entry:
 +<file>
 +ipv4     2 tcp      6 4088 ESTABLISHED src=192.168.3.171 dst=192.168.10.175 sport=33284 dport=22 packets=24 bytes=1248 src=192.168.10.175 dst=192.168.3.171 sport=22 dport=33284 packets=24 bytes=1248 [ASSURED] mark=0 use=2
 +</file>
 +This is a ipv4 tcp session on port=22 (SSH).  It shows a connection from STA1 to STA2 and then the reverse mapping.
 +
 +:!: The nf_conntrack parameters can be tuned using parameters in the sysfs
 +filesystem under ''/proc/sys/net/netfilter'' This is almost never desirable. 
 +
  
  • Last modified: 2022/09/09 21:49
  • by zorun