- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: iptable question
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-05-2011 05:24 PM
тАО05-05-2011 05:24 PM
iptable question
Thanks
Joe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2011 06:07 AM
тАО05-06-2011 06:07 AM
Re: iptable question
/etc/init.d/iptables status
Firewall is stopped.
Thanks
Joe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2011 10:16 AM
тАО05-06-2011 10:16 AM
Re: iptable question
The conntrack module may have been loaded automatically when required by some iptables rule that has been removed since then: it won't auto-unload when it's no longer needed.
What is the output of following commands:
lsmod | grep conntrack
iptables -L -vn
iptables -L -vnt nat
iptables -L -vnt mangle
If the "Used by" value of the conntrack module is 0 in the lsmod listing, the module is currently unused and can safely be rmmod'd.
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2011 01:11 PM
тАО05-06-2011 01:11 PM
Re: iptable question
/etc/init.d/iptables status
Firewall is stopped.
lsmod|grep conn
ip_conntrack 54297 1 iptable_nat
(so there is one connection)
When i did /etc/init.d/iptables stop and then did a lsmod|grep ip_conn the conntrack was gone. Does it mean there was some old connection sitting there? Also when i did cat /proc/net/ip_conntrack there was time_wait in those connections, so is it safe to assume that may some old connections or leftovers from from some rules?? Since there was one connection from lsmod output how do we find out what that is??
Thanks
Joe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2011 01:18 PM
тАО05-06-2011 01:18 PM
Re: iptable question
#iptables -L -vn
Chain INPUT (policy ACCEPT 508 packets, 44674 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 432 packets, 38412 bytes)
pkts bytes target prot opt in out source destination
# iptables -L -vnt nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# iptables -L -vnt mangle
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Thanks
Joe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2011 11:45 PM
тАО05-06-2011 11:45 PM
Re: iptable question
> ip_conntrack 54297 1 iptable_nat
> (so there is one connection)
Not necessarily one connection, but one other module (specifically iptable_nat) using the services of the ip_conntrack module.
/proc/net/ip_conntrack is *exactly* the right place to look: it lists the connections currently handled by the ip_conntrack module.
Perhaps there was one or more existing NATted connections, or old NATted connections waiting for their TIME_WAIT timers to expire when you originally disabled iptables, so the module could not be removed at that time.
Later, when you ran "/etc/init.d/iptables stop" again, those connections apparently had all reached a closed state, and both the iptable_nat and ip_conntrack modules could allow themselves to be removed without any risk of network traffic disruption.
MK