Mailing List Archive: iptables: User

delete conntrack entry - how

Index | Next | Previous | View Threaded

fd4 at itsec4u

Jul 30, 2007, 4:32 AM

Post #1 of 6 (1879 views)
Permalink

delete conntrack entry - how

hi,

I want to delete this stale conntrack entry:
conntrack -L
tcp 6 259996 ESTABLISHED src=85.214.110.62
dst=217.199.190.234 sport=44895 dport=80 packets=1 bytes=40 [UNREPLIED]
src=217.199.190.234 dst=85.214.110.62 sport=80 dport=44895 packets=0
bytes=0 mark=0 use=1

iptstate shows:
Source Destination Proto State TTL
85.214.110.62:44895 217.199.190.234:80 tcp ESTABLISHED 72:10:59

so I dont want to wait 72 hours more;
I've already reduced some values,
e.g.
echo 216000
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

but the connection was already EST

an example for deleteing such an entry within the man page would be fine

Regards

martina2 at yak

Jul 29, 2007, 11:08 PM

Post #2 of 6 (1813 views)
Permalink

delete conntrack entry - how [In reply to]

martina2 at yak

Jul 29, 2007, 11:22 PM

Post #3 of 6 (1817 views)
Permalink

delete conntrack entry - how [In reply to]

fd4 at itsec4u

Jul 30, 2007, 7:12 AM

Post #4 of 6 (1818 views)
Permalink

Re: delete conntrack entry - how [In reply to]

> an example for deleteing such an entry within the man page would be fine

maybe this one (thanks to a readers help :-)
conntrack -D [conntrack] -s 172.16.31.31 -d 172.16.31.255 -p udp --orig-port-src 138 --orig-port-dst 138

fd4 at itsec4u

Aug 11, 2007, 12:38 AM

Post #5 of 6 (1767 views)
Permalink

Re: ip_conntrack growing indefinitely [In reply to]

> For now it has been patched setting ip_conntrack_max to 65536 but
> connections still grow indefinitely (seems NAT never drops old
> connections). Any idea of the reasons? Could be related with the kernel
> version (2 years old) we're running?

I've a similar phenomen using kernel 2.6.18-4-vserver-686 :
conntrack -L|wc -l
3340
nearly all started at a similar time from two ports to random

example iptstate:
Source Destination Proto State TTL
1.2.3.4:42573 1.2.3.4:842 tcp ESTABLISHED 10:44:43
1.2.3.4:42574 1.2.3.4:1501 tcp ESTABLISHED 10:43:51
1.2.3.4:42573 1.2.3.4:1392 tcp ESTABLISHED 10:43:20

well :- on my wish list now something like that:
conntrack -D -s 1.2.3.4 -d 1.2.3.4 -p tcp --orig-port-src 42573 --orig-port-dst *

eric at inl

Aug 11, 2007, 1:04 AM

Post #6 of 6 (1766 views)
Permalink

Re: ip_conntrack growing indefinitely [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Le Sat, 11 Aug 2007 09:38:08 +0200,
fd4 <fd4 [at] itsec4u> a écrit :

> > For now it has been patched setting ip_conntrack_max to 65536 but
>
> well :- on my wish list now something like that:
> conntrack -D -s 1.2.3.4 -d 1.2.3.4 -p tcp --orig-port-src 42573
> --orig-port-dst *

You should try this:
http://software.inl.fr/trac/trac.cgi/wiki/pynetfilter_conntrack

It does exactly what you want.

BR,
- --
Eric Leblond <eric [at] regit>
NuFW, Now User Filtering Works : http://www.nufw.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGvW2PnxA7CdMWjzIRAn4xAJsFD/7db/FCNw6iwTByznnY5PDpdACfdegE
pslZiNpAY6TtqT0F0Iw4HTw=
=6G59
-----END PGP SIGNATURE-----

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads