ip_conntrack table overflow while running enhanced_ctorrent

[simonhang]

Hi all,

I got strange problem with enhanced_ctorrent dnh3.2-9.
ip_conntrack table shoot through default 2048 entries in just 24 hours.
All entries in the table is related to the enhanced_ctorrent's port. So I think I can assume these connections are from the torrent client.
While netstat -an | wc -l is only about 200.

entries looks like:

tcp 6 344298 ESTABLISHED src=xx.xx.xx.xx dst=192.168.1.1 sport=3578 dport=8030 src=192.168.1.1 dst=xx.xx.xx.xx sport=8030 dport=3578 [ASSURED] use=1 mark=0

192.168.1.1 is asus's address, 8030 is used by torrent.

Is there a way to clear ip_conntrack table? With oleg's firmware, ip_conntrack is not a module which can be unloaded, and I can find any timeout setting either.

Any solution for this?

Thanks,
Simon

[KGy]

Hi and sorry my English.

The default value is 4096 on wl500g. You can set it in asus web config page, Internet Firewall - Basic Config - Number of connections to track: (1024...16384).

Save, and restart.

Or you can set it from your post-firewall script:

Code:

echo "8192" >/proc/sys/net/ipv4/ip_conntrack_max

It's set to 8192. Don't forget save to flashfs your post-firewall script.

Bye,

George

[simonhang]

Thanks George for this info.

I'd already changed ip_conntrack_max to 8192. But I worry about why ip_conntrack table has so many entries in it.
Now there is 45xx entries in it now, and keep growing.

I've changed the router to AP mode, so NAT is already disabled. Why this can happen?

Simon

[KGy]

Hi and sorry my poor English.

The ip conntrack table is a tempoary storage of inbound ip packets.
The input strean add a ip packet to table and the firewall will remove it after process the rules.
It incoming packets number WAN depends on the velocity of line (My WAN is ADSL, 4096kb/192kb, the conntrack table capacity is 8192 and always enough.
Some I have a DDOS attack, if I use a donkey (emule on PC or amule, mlnet in router) or Seaky's CTCS with enhanced-ctorrent. I use a big conntrack table and ipt_recent.o module to protection. If your WAN connect is greater, use a bigger (16384) conntrack table.)

Bye,

George

[simonhang]

Thanks George!
That was a great idea.

Could you show me your iptables rule using ipt_recent?
I can't work out how to use ipt_recent to clean up old entries.

Simon

[KGy]

OK, but you want this:

post-firewall

Code:

#!/bin/sh
# Info
# $1 WAN_IF   $2 WAN_IP
# $3 LAN_IF   $4 LAN_IP
# $5 DMZ_IF   $6 DMZ_IP
touch /tmp/var/log/fwdebug
DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
echo $DATES "post-firewall: starting : WAN: $1 ($2), LAN: $3 ($4), DMZ: $5 ($6)" >>/tmp/var/log/fwdebug
echo $DATES "post-firewall: starting : WAN: $1 ($2), LAN: $3 ($4), DMZ: $5 ($6)" >>/tmp/syslog.log
echo $DATES " change logdrop and logaccept to DROP and ACCEPT...starting" >>/tmp/var/log/fwdebug
echo "8192" >/proc/sys/net/ipv4/ip_conntrack_max
iptables -D logaccept 1
iptables -D logdrop 1
iptables -D INPUT -j DROP

DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
echo $DATES " change logdrop and logaccept to DROP and ACCEPT...done" >>/tmp/var/log/fwdebug
echo $DATES " add INPUT rules to firewall...starting" >>/tmp/var/log/fwdebug
iptables -A INPUT -i $1 -p TCP --dport 21 -m recent --name FTP --rcheck --hitcount 3 --seconds 30 \
-j LOG --log-prefix "FTP_BRUTE "
iptables -A INPUT -i $1 -p TCP --dport 21 -m recent --name FTP --update --hitcount 3 --seconds 30 \
-j DROP
iptables -A INPUT -i $1 -p TCP --dport 21 -m recent --name FTP --set -j ACCEPT
iptables -A INPUT -i $1 -p TCP --dport 22 -m recent --name SSH --rcheck --hitcount 3 --seconds 120 \
-j LOG --log-prefix "SSH_BRUTE "
iptables -A INPUT -i $1 -p TCP --dport 22 -m recent --name SSH --update --hitcount 3 --seconds 120 \
-j DROP
iptables -A INPUT -i $1 -p TCP --dport 22 -m recent --name SSH --set -j ACCEPT
iptables -A INPUT -i $1 -p TCP --dport 443 -m recent --name SSH --rcheck --hitcount 3 --seconds 120 \
-j LOG --log-prefix "SSH_BRUTE "
iptables -A INPUT -i $1 -p TCP --dport 443 -m recent --name SSH --update --hitcount 3 --seconds 120 \
-j DROP
iptables -A INPUT -i $1 -p TCP --dport 443 -m recent --name SSH --set -j ACCEPT

for i in 4746 4747 4757 4848 4949 ; do
  iptables -A INPUT -i $ -p TCP --dport $i -m recent --name ED2K --rcheck --hitcount 50 \
  --seconds 5 -j LOG --log-prefix "ED2K_BRUTE "
  iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ED2K --update --hitcount 50 \
  --seconds 5 -j DROP
  iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ED2K --set -j ACCEPT
done

for i in 4747 4750 4751 4757 4848 4949 ; do
  iptables -A INPUT -i $1 -p UDP --dport $i -m recent --name ED2K --rcheck --hitcount 50 \
  --seconds 5 -j LOG --log-prefix "ED2K_BRUTE "
  iptables -A INPUT -i $1 -p UDP --dport $i -m recent --name ED2K --update --hitcount 50 \
  --seconds 5 -j DROP
  iptables -A INPUT -i $1 -p UDP --dport $i -m recent --name ED2K --set -j ACCEPT
done

i=2697
while [ $i -le 2706 ] ; do
  iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ENHCT --rcheck --hitcount 50 \
  --seconds 5 -j LOG --log-prefix "ENHCT__BRUTE "
  iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ENHCT --update --hitcount 50 \
  --seconds 5 -j DROP
  iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ENHCT --set -j ACCEPT
  i=`expr $i + 1`
done

iptables -A INPUT -i $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
echo $DATES " add INPUT rules to firewall...done" >>/tmp/var/log/fwdebug

echo `date` " add PREROUTING and FORWARD rules to firewall...starting" >>/tmp/var/log/fwdebug
for i in 21 22 443 4746 4747 4757 ; do
  iptables -t nat -A PREROUTING -i $1 -p tcp --dport $i -j DNAT \
  --to-destination $4:$i
  iptabled -A FORWARD -i $1 -o $3 -p tcp --dport $i -d $4 -j ACCEPT
done
for i in 4747 4750 4751 4757 ; do
  iptables -t nat -A PREROUTING -i $1 -p udp --dport $i -j DNAT \
  --to-destination $4:$i
  iptables -A FORWARD -i $1 -o $3 -p udp --dport $i -d $4 -j ACCEPT
done

DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
echo $DATES " add PREROUTING and FORWARD rules to firewall...done" >>/tmp/var/log/fwdebug
echo $DTAES "post-firewall: done" >>/tmp/var/log/fwdebug
echo $DATES "post-firewall: done" >>/tmp/syslog.log

The script use ipt_recent module in next 3 line:

iptables -A INPUT -i <interface> -p TCP --dport <port> -m recent --name <RULE_NAME> --rcheck --hitcount <packet_number> \
--seconds <time_in_sec> -j LOG --log-prefix <COMMENT_TO_LOG>
iptables -A INPUT -i <interface> -p TCP --dport <port> -m recent --name <RULE_NAME>--update --hitcount <packet_number> \
--seconds <time_in_sec> -j DROP
iptables -A INPUT -i <interface> -p TCP --dport <packet_number> -m recent --name <RULE_NAME> --set -j ACCEPT

line1: define rule to set and log packets, if more <packet_number> in <time_in_sec>
line2: drop packet, if more <packet_number> in <time_in_sec>
line3: accept, if less.

I don't know, the parameters is correct. I have a crash when I try remove/change 'logdrop' and 'logaccept' rules in my post-firewall script, and a correct value is lost . But this parameter (50 in 5sec) is working, always working my router. Old time, when I use a donkey (emule, etc), I had a DDOS attack (no net and a router is very slow). Now, all work (in DDOS attack).

Bye, (and sorry my poor English)

George

(I use emule client in 2 PC (4848, 4949), uTorrent (17771) in PC, and amule or mlnet (mldonkey) in router (4747..4757), sctcs on router (2697..2706, for enhanced-ctorrent), SSH (22 and 443 (https) port. The SSH working with 443 port and over M$ ISA server (in my workplace).

[simonhang]

Thanks George.

It's still now working for me. I found the problem actually is tcp_established_timeout value is too big on oleg's firmware. And I can't find a way to change it.

I tried openwrt, and change tcp_established_timeout to 1 hour, all problem solved......

But openwrt is not stable for wl-500gp, especially the usb part.