[CentOS] conntrack-tools and Session syncing
Dirk H. Schulz
dirk.schulz at kinzesberg.de
Sun Aug 10 18:28:31 UTC 2008
Hi Robert,
--On 10. August 2008 13:56:22 -0400 Robert Spangler
<mlists at zoominternet.net> wrote:
- snip -
> OK, I don't know this tool you are using to syn the conntracking of all
> the firewalls. Could you post a link to it?
Yes, of course:
<http://www.netfilter.org/projects/conntrack-tools/index.html>
>
> Now for the fun stuff. Why would you have many Internet connection that
> do not return the same path they go out on? sounds like you really only
> have one true connection with one true IP to the Internet. That would
> explain why traffic leaving on interface 2 comes back on interface 1.
It is two routers that are connected to 2 upstream routers; all four use
OSPFv2 for routing between them.
I have not finetuned OSPF so far to avoid asynchronous routing - I want to
to do the connection table synchronization stuff before because I have to
do it anyway (in case of a router crash) and now I have an ideal testbed
(because of the asynchronous routing).
>
> Without knowing your setup I'm not going to guess at this.
The setup is as follows: Every Router has
- an external interface with public ip address each resting in a small
separate subnet that connects to the upstream router
- an interface for inter router connections (private ip addresses)
- 2 additional interfaces to server LANs - both routers have an interface
to both of the 2 server LANs
both server LAN interface use shared virtual ips additionally
If you need more detailed information I could offer the OSFP configuration
(XORP).
Here is the configuration for conntrackd (I have omitted buffer sizes
etc.):
> Sync {
> Mode FTFW {
> ResendBufferSize 262144
> CommitTimeout 180
> ACKWindowSize 20
> }
> Multicast {
> IPv4_address 225.0.0.50
> IPv4_interface 192.168.11.1
> Interface eth1
> Group 3780
> }
> Checksum on
> CacheWriteThrough On
> }
> General {
> HashSize 8192
> HashLimit 65535
- snip -
> IgnoreTrafficFor {
> IPv4_address INTER_ROUTER_INTERFACE
> IPv4_address EXTERNAL_INTERFACE
> IPv4_address INTERNAL_INTERFACE1
> IPv4_address INTERNAL_VIRTUAL_IP
> IPv4_address INTERNAL_INTERFACE2
> }
>
> IgnoreProtocol {
> IGMP
> VRRP
> }
The setup works - using "conntrackd -e" I can see the connection table
entries the other router's conntrackd has synchronized. What I cannot check
is if the receiving conntrackd writes the received entries into the kernels
connection tracking table.
Example:
> udp 17 30 src=124.165.230.206 dst=93.94.81.82 sport=2040 dport=1434
[UNREPLIED] [active since 6s]
> tcp 6 120 SYN_SENT src=93.185.115.91 dst=93.94.80.133 sport=4290
dport=135 [UNREPLIED] [active since 46s]
So I hope to find someone on the list have done this kind of setup before.
Thanks for your interest so far.
Dirk
More information about the CentOS
mailing list