In older versions of Ubuntu I was using /proc/sys/net/netfilter/nf_conntrack_count to see how many connections were active. I did this because I noticed that with lots of traffic if there are too many connections and they would get dropped. This would also interfere with traffic on the local network. In Ubuntu 22, this value is always 0. Has this moved somewhere else or do I need to configure something so I can monitor this again?
Asked
Active
Viewed 3,615 times
1 Answers
0
For the file location to be defined you would need to have the nf_conntrack module loaded, which it isn't by default.
doug@s19:~$ lsmod | grep conn
doug@s19:~$ cat /proc/sys/net/netfilter/nf_conntrack_count
cat: /proc/sys/net/netfilter/nf_conntrack_count: No such file or directory
One can force load the module:
doug@s19:~$ sudo modprobe nf_conntrack
[sudo] password for doug:
doug@s19:~$ lsmod | grep conn
nf_conntrack 196608 0
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 12288 1 nf_conntrack
libcrc32c 12288 4 nf_conntrack,btrfs,nf_tables,raid456
doug@s19:~$ cat /proc/sys/net/netfilter/nf_conntrack_count
0
But then nothing is using it, so the count is always 0, as you have discovered. But if one loads an iptables (or nftables) rule set that have some connection tracking rules, then the count is used:
doug@s19:~/iptables/misc$ lsmod | grep conn
xt_conntrack 12288 6
nf_conntrack 196608 1 xt_conntrack
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 12288 1 nf_conntrack
x_tables 65536 5 xt_conntrack,nft_compat,xt_LOG,xt_tcpudp,ip_tables
libcrc32c 12288 4 nf_conntrack,btrfs,nf_tables,raid456
doug@s19:~/iptables/misc$ cat /proc/sys/net/netfilter/nf_conntrack_count
2
doug@s19:~/iptables/misc$
Here is an example simple iptables rule set that I used for the above non 0 count. My test server is local only, hence the low connection count. On my external facing server I typically have 100's of connections in various states.
doug@s19:~/iptables/misc$ cat test_firewall_min
#!/bin/sh
#
# test_firewall_min 2021.10.04 Ver:0.01
# update interface name for s19.
#
# test_firewall 2018.08.13 Ver:0.01
# Minimum version of most basic iptables firewall.
#
# test_firewall 2018.08.09 Ver:0.01
# Most basic iptables firewall.
# Currently for this question:
# https://askubuntu.com/questions/1059781/ufw-allows-22-for-ipv4-and-ipv6-but-ssh-disconnects-when-enabling
#
#sleep 50
The location of the iptables program
IPTABLES=/sbin/iptables
#Set some stuff
EXTIF="br0"
UNIVERSE="0.0.0.0/0"
#Clearing any previous configuration
#echo " Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
loopback interfaces are valid.
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m conntrack --ctstate INVALID -j LOG --log-prefix "IINVALID:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -p tcp -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "NEW TCP no SYN:" --log-level info
$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT
echo "test_firewall_min $FWVER done..." >> /dev/kmsg
And I get this, after logging via ssh a couple more times:
doug@s19:~/iptables/misc$ sudo conntrack -L
tcp 6 299 ESTABLISHED src=192.168.111.136 dst=192.168.111.122 sport=22 dport=56246 src=192.168.111.122 dst=192.168.111.136 sport=56246 dport=22 [ASSURED] mark=0 use=1
tcp 6 431975 ESTABLISHED src=192.168.111.122 dst=192.168.111.136 sport=50470 dport=22 src=192.168.111.136 dst=192.168.111.122 sport=22 dport=50470 [ASSURED] mark=0 use=1
tcp 6 431942 ESTABLISHED src=192.168.111.122 dst=192.168.111.136 sport=50456 dport=22 src=192.168.111.136 dst=192.168.111.122 sport=22 dport=50456 [ASSURED] mark=0 use=1
conntrack v1.4.5 (conntrack-tools): 3 flow entries have been shown.
Doug Smythies
- 16,146