[CentOS] conntrack-tools and Session syncing
mlists at zoominternet.net
Sun Aug 10 17:56:22 UTC 2008
On Sunday 10 August 2008 11:03, Dirk H. Schulz wrote:
> >> That works as expected. If e.g. I ping from an inside server to
> >> somewhere outside, ICMP request leaves via router2, the answer comes
> >> back via router1. conntrack -e on router1 shows this session (as
> >> unreplied), BUT the firewall blocks it as new connection - that means
> >> iptables does not recognize conntrackd's addition to the session table.
> > First off if you have traffic leaving one router and coming back on
> > another router that is Asynchronous routing and is not a good thing, as
> > you are seeing.
> > Firewall 1 doesn't know what firewall 2 is doing so firewall 1 is going
> > to block this traffic as it was setup to do. Firewall 1 is thinking
> > this is a new connection.
> That is why I used conntrack-tools to synchronize the session tables of
> both firewalls. According to "conntrackd -e" it works - it shows (e. g. on
> router 1) the sessions that have been synchronized over (e.g. from router
> But the sync'd sessions seem not to bother netfilter.
> > Since I don't know your setup my question is;
> > 1. how many Internet connections do you have?
> This is still in setup phase, but they will be very many.
> > 2. does router 2 have a valid public ip on the interface connecting to
> > the Internet?
> Yes. Both routers have public ips as they both are connected to upstream
OK, I don't know this tool you are using to syn the conntracking of all the
firewalls. Could you post a link to it?
Now for the fun stuff. Why would you have many Internet connection that do
not return the same path they go out on? sounds like you really only have
one true connection with one true IP to the Internet. That would explain why
traffic leaving on interface 2 comes back on interface 1.
Without knowing your setup I'm not going to guess at this.
Smile... it increases your face value!
Linux User #296285
More information about the CentOS