I'm working my way thru this document:
http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls

Somewhere in this part: #Should_I_take_this_tutorial
(add it to the above url)

Once there scan for the work /proc and a few hits will get you to this
line: (emphasis is mine)

If you've already rebooted and are using your new netfilter-enabled
kernel, you can view a list of active network connections that your
machine is participating in by typing

"cat/proc/net/ip_conntrack".

Even with no firewall configured, Linux's
conntrack functionality is working behind the scenes, keeping track
of the connections that your machine is participating in.

I don't see that on a machine where I've tried to pick every iptable
and contrack setting for the kernel I could find. Including the ones
on that page that are still around.

find /proc -iname '*conntrack*'
or even
find /proc -iname '*con*'

Turns up nothing even close. Does it mean I'm still missing something
in the kernel build? or is it just baloney or out of date?

It claims you should see this even if you aren't running iptables yet

--
gentoo-user@lists.gentoo.org mailing list

reader@newsguy.com schrieb:
> Turns up nothing even close. Does it mean I'm still missing something
> in the kernel build? or is it just baloney or out of date?

Hi,

you can simply check our kernel config by typing:

cat /usr/src/linux/.config | grep -i conntrack

IIRC, there should be the lines

CONFIG_NF_CONNTRACK_ENABLED=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_IPV4=m

with either 'm' or 'y'.

Sometimes the order of enabling functions in the kernel matter to see all iptables
options. The conntrack options are located under

Networking -> Networking support -> Networking options -> Network packet filtering
framework (Netfilter) -> Core Netfilter -> Configuration -> Netfilter Xtables support
(required for ip_tables) -> "conntrack" connection tracking match support.

Hope you can guess what it want to say - english isn't my native lang, and it is early in
the morning

Best regards,

Johann

--
Johann Schmitz
http://www.j-schmitz.net

--
gentoo-user@lists.gentoo.org mailing list

Johann Schmitz <johann@j-schmitz.net> writes:

> reader@newsguy.com schrieb:
>> Turns up nothing even close. Does it mean I'm still missing something
>> in the kernel build? or is it just baloney or out of date?
>
> Hi,
> you can simply check our kernel config by typing:
>
> cat /usr/src/linux/.config | grep -i conntrack
>
> IIRC, there should be the lines

Yes but what about the comment in the HOWTO:

"cat/proc/net/ip_conntrack".
Even with no firewall configured, Linux's conntrack functionality
is working behind the scenes, keeping track of the connections that
your machine is participating in.

I see:
grep -i ^[^#].*conntrack /usr/src/linux/.config

CONFIG_NF_CONNTRACK_ENABLED=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y


But do NOT see what that HOWTO refers to (/proc/net/ip_conntrack)

[...]

> Hope you can guess what it want to say - english isn't my native
> lang, and it is early in the morning

English is my native language and you are considerably better at it
than I am. That may not be much of a compliment though because I'm an
illiterate hill-billy.

--
gentoo-user@lists.gentoo.org mailing list

On Monday 7 January 2008, reader@newsguy.com wrote:

> I see:
> grep -i ^[^#].*conntrack /usr/src/linux/.config
>
> CONFIG_NF_CONNTRACK_ENABLED=m
> CONFIG_NF_CONNTRACK=m
> CONFIG_NF_CONNTRACK_MARK=y
> CONFIG_NF_CONNTRACK_SECMARK=y
> CONFIG_NF_CONNTRACK_EVENTS=y
> CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
> CONFIG_NF_CONNTRACK_IPV4=m
> CONFIG_NF_CONNTRACK_PROC_COMPAT=y
>
>
> But do NOT see what that HOWTO refers to (/proc/net/ip_conntrack)

Sorry for the dumb question...you have compiled conntrack as a module,
but is that module (or modules) actually loaded (you can check with
lsmod)? If not, loading the module should also create the file in /proc.

The module should be called nf_conntrack (load it with modprobe
nf_conntrack). If not, look into /lib/modules/`uname -r`, look for
modules with conntrack in the name, and load them.
--
gentoo-user@lists.gentoo.org mailing list

Etaoin Shrdlu <shrdlu@unlimitedmail.org> writes:

>> I see:
>> grep -i ^[^#].*conntrack /usr/src/linux/.config
>>
>> CONFIG_NF_CONNTRACK_ENABLED=m
>> CONFIG_NF_CONNTRACK=m
>> CONFIG_NF_CONNTRACK_MARK=y
>> CONFIG_NF_CONNTRACK_SECMARK=y
>> CONFIG_NF_CONNTRACK_EVENTS=y
>> CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
>> CONFIG_NF_CONNTRACK_IPV4=m
>> CONFIG_NF_CONNTRACK_PROC_COMPAT=y
>>
>>
>> But do NOT see what that HOWTO refers to (/proc/net/ip_conntrack)
>
> Sorry for the dumb question...you have compiled conntrack as a module,
> but is that module (or modules) actually loaded (you can check with
> lsmod)? If not, loading the module should also create the file in /proc.

The question wasn't dumb.. but the operator on this end sure is.

My only defense is that the HOWTO doesn't mention any of that.
However I do know that would be necessary. When I saw your suggestion
I knew immediately I'd been a dope...... again.

Should I have compiled them directly into the kernel?

--
gentoo-user@lists.gentoo.org mailing list

On Monday 7 January 2008, reader@newsguy.com wrote:

> Should I have compiled them directly into the kernel?

Well, this is usually a matter of debates. For iptables stuff, I
generally compile everything into the kernel, but I'm sure there are
people who can find good reasons for using modules. So, it's ultimately
up to you.

If you want iptables to be active and working all the time, then I think
you can compile its stuff into the kernel. It would be nice if someone
who uses modules also showed his reasons for keeping it as modules, so
you could get a better picture and make a more informed decision.
--
gentoo-user@lists.gentoo.org mailing list

On Monday 07 January 2008, Etaoin Shrdlu wrote:
> On Monday 7 January 2008, reader@newsguy.com wrote:
> > Should I have compiled them directly into the kernel?
>
> Well, this is usually a matter of debates. For iptables stuff, I
> generally compile everything into the kernel, but I'm sure there are
> people who can find good reasons for using modules. So, it's ultimately
> up to you.
>
> If you want iptables to be active and working all the time, then I think
> you can compile its stuff into the kernel. It would be nice if someone
> who uses modules also showed his reasons for keeping it as modules, so
> you could get a better picture and make a more informed decision.

# ls -la /proc/net/ip_conntrack
-r--r----- 1 root root 0 Jan 8 08:34 /proc/net/ip_conntrack
# cat /proc/net/ip_conntrack
#
# ls -la /proc/net/nf_conntrack
-r--r----- 1 root root 0 Jan 8 08:40 /proc/net/nf_conntrack
# cat /proc/net/nf_conntrack
#

I'm currently on the train with no internet connection. Both of the above
files are empty. On the other hand when online they show my current
connections. The above has been compiled into my kernel. I used to compile
iptables stuff as modules, but only a few of them these days. The reason was
that I did not know which I was going to use and therefore I could modprobe
them later on as and when required. The other reason (that I never actually
put into practice) was to patch the kernel with the latest & greatest iptable
modules updates and modprobe accordingly. If you know what you need in terms
of iptables kernel options go with the built-in-kernel choice; if not,
built-as-modules could be better - unless you prefer a fat kernel for no
reason.
--
Regards,
Mick