Results 1 to 7 of 7

Thread: ip_conntrack table overflow while running enhanced_ctorrent

  1. #1

    ip_conntrack table overflow while running enhanced_ctorrent

    Hi all,

    I got strange problem with enhanced_ctorrent dnh3.2-9.
    ip_conntrack table shoot through default 2048 entries in just 24 hours.
    All entries in the table is related to the enhanced_ctorrent's port. So I think I can assume these connections are from the torrent client.
    While netstat -an | wc -l is only about 200.

    entries looks like:

    tcp 6 344298 ESTABLISHED src=xx.xx.xx.xx dst=192.168.1.1 sport=3578 dport=8030 src=192.168.1.1 dst=xx.xx.xx.xx sport=8030 dport=3578 [ASSURED] use=1 mark=0

    192.168.1.1 is asus's address, 8030 is used by torrent.

    Is there a way to clear ip_conntrack table? With oleg's firmware, ip_conntrack is not a module which can be unloaded, and I can find any timeout setting either.

    Any solution for this?

    Thanks,
    Simon

  2. #2
    Join Date
    Mar 2007
    Location
    Budapest / Hungary
    Posts
    79
    Hi and sorry my English.

    The default value is 4096 on wl500g. You can set it in asus web config page, Internet Firewall - Basic Config - Number of connections to track: (1024...16384).

    Save, and restart.

    Or you can set it from your post-firewall script:
    Code:
    echo "8192" >/proc/sys/net/ipv4/ip_conntrack_max
    It's set to 8192. Don't forget save to flashfs your post-firewall script.

    Bye,

    George

  3. #3
    Thanks George for this info.

    I'd already changed ip_conntrack_max to 8192. But I worry about why ip_conntrack table has so many entries in it.
    Now there is 45xx entries in it now, and keep growing.

    I've changed the router to AP mode, so NAT is already disabled. Why this can happen?

    Simon

  4. #4
    Join Date
    Mar 2007
    Location
    Budapest / Hungary
    Posts
    79
    Hi and sorry my poor English.

    The ip conntrack table is a tempoary storage of inbound ip packets.
    The input strean add a ip packet to table and the firewall will remove it after process the rules.
    It incoming packets number WAN depends on the velocity of line (My WAN is ADSL, 4096kb/192kb, the conntrack table capacity is 8192 and always enough.
    Some I have a DDOS attack, if I use a donkey (emule on PC or amule, mlnet in router) or Seaky's CTCS with enhanced-ctorrent. I use a big conntrack table and ipt_recent.o module to protection. If your WAN connect is greater, use a bigger (16384) conntrack table.)

    Bye,

    George

  5. #5
    Thanks George!
    That was a great idea.

    Could you show me your iptables rule using ipt_recent?
    I can't work out how to use ipt_recent to clean up old entries.

    Simon

  6. #6
    Join Date
    Mar 2007
    Location
    Budapest / Hungary
    Posts
    79
    OK, but you want this:

    post-firewall
    Code:
    #!/bin/sh
    # Info
    # $1 WAN_IF   $2 WAN_IP
    # $3 LAN_IF   $4 LAN_IP
    # $5 DMZ_IF   $6 DMZ_IP
    touch /tmp/var/log/fwdebug
    DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
    echo $DATES "post-firewall: starting : WAN: $1 ($2), LAN: $3 ($4), DMZ: $5 ($6)" >>/tmp/var/log/fwdebug
    echo $DATES "post-firewall: starting : WAN: $1 ($2), LAN: $3 ($4), DMZ: $5 ($6)" >>/tmp/syslog.log
    echo $DATES " change logdrop and logaccept to DROP and ACCEPT...starting" >>/tmp/var/log/fwdebug
    echo "8192" >/proc/sys/net/ipv4/ip_conntrack_max
    iptables -D logaccept 1
    iptables -D logdrop 1
    iptables -D INPUT -j DROP
    
    DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
    echo $DATES " change logdrop and logaccept to DROP and ACCEPT...done" >>/tmp/var/log/fwdebug
    echo $DATES " add INPUT rules to firewall...starting" >>/tmp/var/log/fwdebug
    iptables -A INPUT -i $1 -p TCP --dport 21 -m recent --name FTP --rcheck --hitcount 3 --seconds 30 \
    -j LOG --log-prefix "FTP_BRUTE "
    iptables -A INPUT -i $1 -p TCP --dport 21 -m recent --name FTP --update --hitcount 3 --seconds 30 \
    -j DROP
    iptables -A INPUT -i $1 -p TCP --dport 21 -m recent --name FTP --set -j ACCEPT
    iptables -A INPUT -i $1 -p TCP --dport 22 -m recent --name SSH --rcheck --hitcount 3 --seconds 120 \
    -j LOG --log-prefix "SSH_BRUTE "
    iptables -A INPUT -i $1 -p TCP --dport 22 -m recent --name SSH --update --hitcount 3 --seconds 120 \
    -j DROP
    iptables -A INPUT -i $1 -p TCP --dport 22 -m recent --name SSH --set -j ACCEPT
    iptables -A INPUT -i $1 -p TCP --dport 443 -m recent --name SSH --rcheck --hitcount 3 --seconds 120 \
    -j LOG --log-prefix "SSH_BRUTE "
    iptables -A INPUT -i $1 -p TCP --dport 443 -m recent --name SSH --update --hitcount 3 --seconds 120 \
    -j DROP
    iptables -A INPUT -i $1 -p TCP --dport 443 -m recent --name SSH --set -j ACCEPT
    
    for i in 4746 4747 4757 4848 4949 ; do
      iptables -A INPUT -i $ -p TCP --dport $i -m recent --name ED2K --rcheck --hitcount 50 \
      --seconds 5 -j LOG --log-prefix "ED2K_BRUTE "
      iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ED2K --update --hitcount 50 \
      --seconds 5 -j DROP
      iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ED2K --set -j ACCEPT
    done
    
    for i in 4747 4750 4751 4757 4848 4949 ; do
      iptables -A INPUT -i $1 -p UDP --dport $i -m recent --name ED2K --rcheck --hitcount 50 \
      --seconds 5 -j LOG --log-prefix "ED2K_BRUTE "
      iptables -A INPUT -i $1 -p UDP --dport $i -m recent --name ED2K --update --hitcount 50 \
      --seconds 5 -j DROP
      iptables -A INPUT -i $1 -p UDP --dport $i -m recent --name ED2K --set -j ACCEPT
    done
    
    i=2697
    while [ $i -le 2706 ] ; do
      iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ENHCT --rcheck --hitcount 50 \
      --seconds 5 -j LOG --log-prefix "ENHCT__BRUTE "
      iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ENHCT --update --hitcount 50 \
      --seconds 5 -j DROP
      iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ENHCT --set -j ACCEPT
      i=`expr $i + 1`
    done
    
    iptables -A INPUT -i $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -j DROP
    DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
    echo $DATES " add INPUT rules to firewall...done" >>/tmp/var/log/fwdebug
    
    echo `date` " add PREROUTING and FORWARD rules to firewall...starting" >>/tmp/var/log/fwdebug
    for i in 21 22 443 4746 4747 4757 ; do
      iptables -t nat -A PREROUTING -i $1 -p tcp --dport $i -j DNAT \
      --to-destination $4:$i
      iptabled -A FORWARD -i $1 -o $3 -p tcp --dport $i -d $4 -j ACCEPT
    done
    for i in 4747 4750 4751 4757 ; do
      iptables -t nat -A PREROUTING -i $1 -p udp --dport $i -j DNAT \
      --to-destination $4:$i
      iptables -A FORWARD -i $1 -o $3 -p udp --dport $i -d $4 -j ACCEPT
    done
    
    DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
    echo $DATES " add PREROUTING and FORWARD rules to firewall...done" >>/tmp/var/log/fwdebug
    echo $DTAES "post-firewall: done" >>/tmp/var/log/fwdebug
    echo $DATES "post-firewall: done" >>/tmp/syslog.log

    The script use ipt_recent module in next 3 line:

    iptables -A INPUT -i <interface> -p TCP --dport <port> -m recent --name <RULE_NAME> --rcheck --hitcount <packet_number> \
    --seconds <time_in_sec> -j LOG --log-prefix <COMMENT_TO_LOG>
    iptables -A INPUT -i <interface> -p TCP --dport <port> -m recent --name <RULE_NAME>--update --hitcount <packet_number> \
    --seconds <time_in_sec> -j DROP
    iptables -A INPUT -i <interface> -p TCP --dport <packet_number> -m recent --name <RULE_NAME> --set -j ACCEPT

    line1: define rule to set and log packets, if more <packet_number> in <time_in_sec>
    line2: drop packet, if more <packet_number> in <time_in_sec>
    line3: accept, if less.

    I don't know, the parameters is correct. I have a crash when I try remove/change 'logdrop' and 'logaccept' rules in my post-firewall script, and a correct value is lost . But this parameter (50 in 5sec) is working, always working my router. Old time, when I use a donkey (emule, etc), I had a DDOS attack (no net and a router is very slow). Now, all work (in DDOS attack).

    Bye, (and sorry my poor English)

    George

    (I use emule client in 2 PC (4848, 4949), uTorrent (17771) in PC, and amule or mlnet (mldonkey) in router (4747..4757), sctcs on router (2697..2706, for enhanced-ctorrent), SSH (22 and 443 (https) port. The SSH working with 443 port and over M$ ISA server (in my workplace).

  7. #7
    Thanks George.

    It's still now working for me. I found the problem actually is tcp_established_timeout value is too big on oleg's firmware. And I can't find a way to change it.

    I tried openwrt, and change tcp_established_timeout to 1 hour, all problem solved......

    But openwrt is not stable for wl-500gp, especially the usb part.

Similar Threads

  1. Firmware v1.8.1.7 CR3 [Oleg]
    By Oleg in forum WL-500g Firmware Releases
    Replies: 47
    Last Post: 29-03-2005, 18:38
  2. 1.8.1.7-3 Progressive Connection Issues ?
    By tomilius in forum WL-500g Q&A
    Replies: 7
    Last Post: 11-03-2005, 15:22

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •