[CentOS] conntrack-tools and Session syncing

Sun Aug 10 12:36:46 UTC 2008
Dirk H. Schulz <dirk.schulz at kinzesberg.de>

Hi folks,

I have 2 firewalls, setup with Centos 5.2. They are also routers, connected 
to 2 upstream routers.

I have some cases where connections from servers to the internet leave my 
network via router2 and answers come back via router1. So I added conntrack 
tools to both routers/firewalls to synchronize the session tables (using 
ftfw procotol).

That works as expected. If e.g. I ping from an inside server to somewhere 
outside, ICMP request leaves via router2, the answer comes back via 
router1. conntrack -e on router1 shows this session (as unreplied), BUT the 
firewall blocks it as new connection - that means iptables does not 
recognize conntrackd's addition to the session table.

Seems that I have a conceptional misunderstanding here - but I do not find 
anything that could be wrong. Could somebody please help? I am stuck.

Any hint or help is appreciated.