20

I'm running a Linux server that - from time to time - faces heavy load and the conntrack table overflows. Since it's iptables firewall ruleset is very simple I'd like to turn it to stateless mode. I know that iptables can operate in stateful connection tracking mode and in a stateless mode.

My firewall rules are all in place I'm pretty sure that they are stateless but my question is how can I verify that the firewall is really operating in stateless mode?

tex
  • 889
  • 1
  • 9
  • 19

3 Answers3

22

You need to specify some iptables rules to prevent packets to be conntracked :

iptables -t raw -I PREROUTING -j NOTRACK
iptables -t raw -I OUTPUT -j NOTRACK
Juliano
  • 5,512
  • 28
  • 28
profy
  • 1,146
  • 9
  • 20
  • actually it is "-t raw" and not "-t RAW" but that was the missing pice. Thank you! – tex Feb 11 '11 at 23:11
  • 2
    Sorry, but this doesn't answer your question since it was "how can I *verify* that the firewall is really operating in stateless mode" actually. – poige Feb 12 '11 at 04:07
  • Please excuse my wording. My english is not perfect, but that was exactly the solution for my problem. – tex Aug 17 '12 at 17:21
6

cat /proc/net/ip_conntrack shows all connection tracking.

So, if it's stateless, the output of the above command should be empty.

(Alternatively, use cat /proc/net/nf_conntrack)

pepoluan
  • 5,038
  • 4
  • 47
  • 72
5

Install conntrack, and look at the output. I am pretty sure if you are stateless no connections will be displayed.

Zoredache
  • 130,897
  • 41
  • 276
  • 420