Well, I meant ipt_state must be loaded as well.... I enabled (iptables 1.2.5, however) <M> Connection state match support -> CONFIG_IP_NF_CONNTRACK such to get it working.
To get this enabled, CONFIG_IP_NF_CONNTRACK must be enabled as well. On Thu, 11 Apr 2002, Lukas Ruf wrote: > Can you send us an > lsmod > from the router? > > I also noticed that the module > ip_conntrack > requires an additional module to be built. > > CONFIG_IP_NF_MATCH_STATE > > must be enabled as well. > > wr, > > --lpr > > On Thu, 11 Apr 2002, Axel Christiansen wrote: > > > hi all, > > > > before 6 weeks i installed a internet-gateway based on > > kernel 2.4.18 and iptables. > > > > useing some addons fron patch-o-matic > > and the 1.2.7 iptables binaries > > > > it is a pretty common environment: > > > > > > private-net > > 192.168.65.0/24 > > | > > eth0 > > 192.168.65.1/32 > > Gateway > > dynamic-ip > > ppp0 > > | > > internet > > > > for all private-net generated sessions i use > > the "--state NEW -j ACCEPT" > > > > and for the returnig packets > > the "--state ESTABLISHED,RELATED -j ACCEPT" > > > > and of course the MASQ thing in the nat table > > > > for logging i use before the clean-up rule in > > each chanin, the "-j LOG" > > > > since 4 days the user began to complain about > > unreachable websites and pop servers. > > so the first 5 weeks thinks semms to work just > > fine. > > > > for me, it looks like established connections do > > not get back as usual. > > > > i checked the rule-set twice. > > > > i include a view syslog messages here: > > > > Apr 10 13:51:50 egal kernel: inet-gateIN=ppp0 OUT= MAC= > > SRC=213.165.64.20 DST=213.191.94.93 LEN=40 TOS=0x00 PREC=0x00 TTL=57 > > ID=61420 PROTO=TCP SPT=110 DPT=1074 WINDOW=0 RES=0x00 ACK RST URGP=0 > > Apr 10 13:58:38 egal kernel: inet-gateIN=ppp0 OUT= MAC= > > SRC=213.165.64.20 DST=213.191.94.93 LEN=40 TOS=0x00 PREC=0x00 TTL=57 > > ID=16273 PROTO=TCP SPT=110 DPT=1078 WINDOW=0 RES=0x00 ACK RST URGP=0 > > Apr 10 20:39:03 egal kernel: inet-gateIN=ppp0 OUT= MAC= > > SRC=213.165.64.20 DST=213.191.87.1 LEN=40 TOS=0x00 PREC=0x00 TTL=57 > > ID=65337 PROTO=TCP SPT=110 DPT=3615 WINDOW=0 RES=0x00 > > ACK RST URGP=0 > > Apr 10 23:34:35 egal kernel: inet-gateIN=ppp0 OUT= MAC= SRC=62.181.130.2 > > DST=213.191.92.208 LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=53576 PROTO=TCP > > SPT=110 DPT=1051 WINDOW=0 RES=0x00 ACK RST URGP=0 > > > > Apr 10 14:03:55 egal kernel: inet-gateIN=ppp0 OUT= MAC= > > SRC=213.191.74.53 DST=213.191.94.93 LEN=40 TOS=0x00 PREC=0x00 TTL=62 > > ID=54758 DF PROTO=TCP SPT=80 DPT=1191 WINDOW=31944 RES=0x00 ACK FIN > > URGP=0 > > Apr 10 14:04:00 egal kernel: inet-gateIN=ppp0 OUT= MAC= > > SRC=213.191.74.53 DST=213.191.94.93 LEN=40 TOS=0x00 PREC=0x00 TTL=62 > > ID=55237 DF PROTO=TCP SPT=80 DPT=1190 WINDOW=31944 RES=0x00 ACK FIN > > URGP=0 > > Apr 10 14:04:10 egal kernel: inet-gateIN=ppp0 OUT= MAC= > > SRC=213.191.74.53 DST=213.191.94.93 LEN=40 TOS=0x00 PREC=0x00 TTL=62 > > ID=56653 DF PROTO=TCP SPT=80 DPT=1198 WINDOW=31944 RES=0x00 ACK FIN > > URGP=0 > > Apr 10 14:04:36 egal kernel: inet-gateIN=ppp0 OUT= MAC= > > SRC=213.191.74.53 DST=213.191.94.93 LEN=40 TOS=0x00 PREC=0x00 TTL=62 > > ID=61393 DF PROTO=TCP SPT=80 DPT=1196 WINDOW=31944 RES=0x00 ACK FIN > > URGP=0 > > > > > > i noticed the threads obout increasing some timeouts. > > but way does this behavior starts before 4 days and not the > > hole operation period. > > > > for example: the users can not connect to www.hamburg.de > > from hosts, not connected to this private-net, they can. > > > > the hole network-config looks fine for me. > > > > any ideas? > > > > thx, axel > > > > PS: witch information, included here, would you never give > > to a public mailing list? i am just interested. the dst ip-addresses > > are dynamic. > > -- > Lukas Ruf Swiss Federal Institute of Technology > Office: ETZ-G61.2 Computer Engineering and > Phone: +41/1/632 7312 Networks Laboratory (TIK) > Fax: +41/1/632 1035 ETH Zentrum > PGP 2.6: ID D20BA2ED; Gloriastr. 35 > Fingerprint 6323 B9BC 9C8E 6563 B477 BADD FEA6 E6B7 CH-8092 Zurich -- Lukas Ruf Swiss Federal Institute of Technology Office: ETZ-G61.2 Computer Engineering and Phone: +41/1/632 7312 Networks Laboratory (TIK) Fax: +41/1/632 1035 ETH Zentrum PGP 2.6: ID D20BA2ED; Gloriastr. 35 Fingerprint 6323 B9BC 9C8E 6563 B477 BADD FEA6 E6B7 CH-8092 Zurich
