1

I have a router with nat port forwarding configured. I launched a http copy of big file via the nat. The http server is hosted on the LAN PC which contains the big file to download. I launched the file download from WAN PC. I disabled the nat rule when file copy is running. the copy of file keep remaining. I want to stop the copy of file when I disable the nat forward rule with conntrack-tool.

enter image description here

my conntrack list contains the following conntrack session

# conntrack -L | grep "33.13"
tcp      6 431988 ESTABLISHED src=192.168.33.13 dst=192.168.33.215 sport=52722 dport=80 src=192.168.3.17 dst=192.168.33.13 sport=80 dport=52722 [ASSURED] use=1

I tried to remove it with the following command:

# conntrack -D --orig-src 192.168.33.13
tcp      6 431982 ESTABLISHED src=192.168.33.13 dst=192.168.33.215 sport=52722 dport=80 src=192.168.3.17 dst=192.168.33.13 sport=80 dport=52722 [ASSURED] use=1
conntrack v1.4.3 (conntrack-tools): 1 flow entries have been deleted.

the conntrack session is removed I can see in the following command. But another conntrack session was created with src ip address is the lan address of the removed conntrack

# conntrack -L | grep "33.13"
tcp      6 431993 ESTABLISHED src=192.168.3.17 dst=192.168.33.13 sport=80 dport=52722 src=192.168.33.13 dst=192.168.33.215 sport=52722 dport=80 [ASSURED] use=1
conntrack v1.4.3 (conntrack-tools): 57 flow entries have been shown.

I tried to remove the new conntrack but it keep remaining

# conntrack -D --orig-src 192.168.3.17

# conntrack -L | grep "33.13"
conntrack v1.4.3 (conntrack-tools): 11 flow entries have been shown.
tcp      6 431981 ESTABLISHED src=192.168.3.17 dst=192.168.33.13 sport=80 dport=52722 src=192.168.33.13 dst=192.168.33.215 sport=52722 dport=80 [ASSURED] use=1

What I m missing?

Improve this question

1 Answer 1

Reset to default
3

https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt

nf_conntrack_tcp_loose - BOOLEAN
0 - disabled not 0 - enabled (default)
If it is set to zero, we disable picking up already established connections.

So the already established connection is detected on-the-fly (without SYN/SYN+ACK/ACK involved) and added back as a new conntrack entry. Since it's a new conntrack entry, the nat table will be traversed again and the DNAT rule applied again. Even if one way doesn't work immediately (if there's no SNAT/MASQUERADE defined in addition to the DNAT rule the http server's outgoing packets might appear on WAN as 192.168.3.17 for a short while and be rejected/ignored by 192.168.33.13), as soon as the other way tries again (ACK retry from 192.168.33.13...) this will match.

Type this:

echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose

And try again deleting the conntrack entry with conntrack -D ...

This should hopefully prevent a new conntrack entry to be created and cut the download.

Improve this answer
2
  • Thank you man, great answer! I have a question. What s the risk of setting /proc/sys/net/netfilter/nf_conntrack_tcp_loose to 0? Are there a risk on other connexions and traffics of the router? especially VoiP traffic (SIP) ?
    – Mohamed KALLEL
    Commented Oct 15, 2017 at 18:56
  • I think when a firewall/nat box is restarted, depending on its rules, the default setting might allow the current tcp connections to resume. If disabled, the connections are guaranteed to not recover. If you really want to disable a connection without changing this you can still add a DROP rule in the filter table before the usual --state ESTABLISHED -j ACCEPT. Look at the suggestion with ipset at the end of my answer to a related question there: unix.stackexchange.com/questions/397894/…
    – A.B
    Commented Oct 15, 2017 at 19:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .