Iptables: "notrack" target not working

MagicSimi · March 7, 2017, 4:51pm

I'm playing around with iptables and want to use the "notrack" target. But it doesn't work.

    iptables -t raw -A PREROUTING -i br-lan -s 192.168.1.0/24 -p tcp --dport 32777:32780 -j notrack
    iptables v1.4.21: Couldn't load target `notrack':No such file or directory

I think I have the necessary modules loaded.

/etc/privoxy# lsmod | grep conntrack
nf_conntrack           54600 12 xt_helper,xt_connmark,xt_connlimit,xt_connbytes,nf_nat_ipv4,nf_conntrack_ipv6,nf_conntrack_ipv4,xt_state,xt_conntrack,nf_nat_masquerade_ipv4,nf_nat,nf_conntrack_rtcache
nf_conntrack_ipv4       5507 13 
nf_conntrack_ipv6       5884  0 
nf_conntrack_rtcache    2834  0 
nf_defrag_ipv4          1020  1 nf_conntrack_ipv4
nf_defrag_ipv6         13533  1 nf_conntrack_ipv6
x_tables               11003 28 iptable_raw,xt_recent,xt_helper,xt_connmark,xt_connlimit,xt_connbytes,ipt_REJECT,ipt_MASQUERADE,xt_time,xt_tcpudp,xt_state,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_conntrack,xt_comment,xt_TCPMSS,xt_REDIRECT,xt_LOG,iptable_mangle,iptable_filter,ip_tables,ip6t_REJECT,ip6table_mangle,ip6table_filter,ip6_tables
xt_conntrack            2648 12

Any ideas?

bolvan · March 8, 2017, 6:44am

They removed xt_NOTRACK from the build quite long ago.
They claim notrack does not give any significant cpu time saving.
Also fw3 does not generate notrack rules anymore

MagicSimi · March 9, 2017, 4:15pm

Thanks, that probably explains it. But I'm wondering if the description for the package kmod-ipt-conntrack is still correct then. Here is says:

kmod-ipt-conntrack - 4.4.50-1 - Netfilter (IPv4) kernel modules for connection tracking Includes: - conntrack - defrag - iptables_raw - NOTRACK

InkblotAdmirer · March 19, 2017, 2:48am

I have firewall rules with target NOTRACK. They stick and traffic runs through them.

They are added in /etc/config/firewall as a rule and they end up in the raw table. I'm guessing you need to add it there or modify your custom rule to -j to NOTRACK instead of notrack.

MagicSimi · March 19, 2017, 8:20am

Strange. I tried "NOTRACK" as well but no difference. Are you using a recently enough lede version with the standard lede kernel? Can I see your output of "lsmod | grep -i conntrack"? And of "iptables -t raw -L -n"?

InkblotAdmirer · March 19, 2017, 8:12pm

I am running trunk (custom config) and I have had this setup since kernel 3.18. Currently running 4.9.

grep:

nf_conntrack           63411 36     nf_nat_pptp,nf_conntrack_pptp,nf_conntrack_ipv6,xt_state,xt_helper,xt_conntrack,xt_connmark,xt_connlimit,xt_connbytes,xt_CT,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_masquerade_ipv4,nf_nat_irc,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_nat,nf_dup_ipv6,nf_dup_ipv4,nf_conntrack_tftp,nf_conntrack_snmp,nf_conntrack_sip,nf_conntrack_rtcache,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,nf_conntrack_broadcast,nf_conntrack_amanda,sch_cake,act_connmark
nf_conntrack_amanda     1868  1 nf_nat_amanda
nf_conntrack_broadcast     893  1 nf_conntrack_snmp
nf_conntrack_ftp        5505  1 nf_nat_ftp
nf_conntrack_h323      34531  1 nf_nat_h323
nf_conntrack_ipv4       6437 25
nf_conntrack_ipv6       6948  6
nf_conntrack_irc        2873  1 nf_nat_irc
nf_conntrack_netlink   21631  0
nf_conntrack_pptp       3444  1 nf_nat_pptp
nf_conntrack_proto_gre    3031  1 nf_conntrack_pptp
nf_conntrack_rtcache    2770  0
nf_conntrack_sip       18119  1 nf_nat_sip
nf_conntrack_snmp        856  1 nf_nat_snmp_basic
nf_conntrack_tftp       2846  1 nf_nat_tftp
nf_defrag_ipv4           956  1 nf_conntrack_ipv4
nf_defrag_ipv6         13140  1 nf_conntrack_ipv6
nfnetlink               4191  5 nfnetlink_queue,nfnetlink_log,nf_conntrack_netlink,ip_set
x_tables               11372 66 ipt_REJECT,ipt_MASQUERADE,xt_u32,xt_time,xt_tcpudp,xt_tcpmss,xt_string,xt_statistic,xt_state,xt_recent,xt_quota,xt_psd,xt_policy,xt_pkttype,xt_physdev,xt_owner,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_helper,xt_esp,xt_ecn,xt_dscp,xt_conntrack,xt_connmark,xt_connlimit,xt_connbytes,xt_comment,xt_addrtype,xt_TEE,xt_TCPMSS,xt_TARPIT,xt_REDIRECT,xt_NFQUEUE,xt_NFLOG,xt_NETMAP,xt_LOG,xt_LED,xt_HL,xt_DSCP,xt_CT,xt_CLASSIFY,iptable_raw,iptable_mangle,iptable_filter,ipt_ah,ipt_ECN,ip6table_raw,ip_tables,act_ipt,xt_set,ip6t_rt,ip6t_frag,ip6t_hbh,ip6t_eui64,ip6t_mh,ip6t_ah,ip6t_ipv6header,ip6t_REJECT,ip6table_mangle,ip6table_filter,ip6_tables
xt_conntrack            2456 30

iptables:

Chain zone_lan_notrack (1 references)
target     prot opt source               destination
CT         tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:137:139 /* !fw3: Don't track NETBIOS Service */ CT notrack
CT         udp  --  0.0.0.0/0            0.0.0.0/0            udp spts:137:139 /* !fw3: Don't track NETBIOS Service */ CT notrack
CT         tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:137:139 /* !fw3: Don't track NETBIOS Service */ CT notrack
CT         udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:137:139 /* !fw3: Don't track NETBIOS Service */ CT notrack
CT         tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:445 /* !fw3: Don't track Windows Filesharing */ CT notrack
CT         udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:445 /* !fw3: Don't track Windows Filesharing */ CT notrack
CT         tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:445 /* !fw3: Don't track Windows Filesharing */ CT notrack
CT         udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:445 /* !fw3: Don't track Windows Filesharing */ CT notrack

porjo · April 29, 2017, 10:42am

On OpenWRT this is done with -j CT --notrack (rather than -j NOTRACK) however I'm not sure if it is the same for LEDE.