[CentOS] conntrack-tools and Session syncing

Sun Aug 10 15:03:50 UTC 2008
Dirk H. Schulz <dirk.schulz at kinzesberg.de>

Hi Robert,

--On 10. August 2008 10:04:37 -0400 Robert Spangler 
<mlists at zoominternet.net> wrote:

> On Sunday 10 August 2008 08:36, Dirk H. Schulz wrote:
>
>>  That works as expected. If e.g. I ping from an inside server to
>>  somewhere outside, ICMP request leaves via router2, the answer comes
>>  back via router1. conntrack -e on router1 shows this session (as
>>  unreplied), BUT the firewall blocks it as new connection - that means
>> iptables does not recognize conntrackd's addition to the session table.
>
> First off if you have traffic leaving one router and coming back on
> another  router that is Asynchronous routing and is not a good thing, as
> you are  seeing.
>
> Firewall 1 doesn't know what firewall 2 is doing so firewall 1 is going
> to  block this traffic as it was setup to do.  Firewall 1 is thinking
> this is a  new connection.

That is why I used conntrack-tools to synchronize the session tables of 
both firewalls. According to "conntrackd -e" it works - it shows (e. g. on 
router 1) the sessions that have been synchronized over (e.g. from router 
2).

But the sync'd sessions seem not to bother netfilter.

>
> Since I don't know your setup my question is;
>
> 1. how many Internet connections do you have?

This is still in setup phase, but they will be very many.

> 2. does router 2 have a valid public ip on the interface connecting to
> the  Internet?

Yes. Both routers have public ips as they both are connected to upstream 
routers.

Dirk