NOTRACK action question

Gary W. Smith gary at
Wed Aug 24 20:23:02 CEST 2005


We are NAT'ing an IP range to a set of internal Apache servers.  Looking
into the conntrack table we are seeing a bunch of entries on port 80,
which make sense.  One of the web server clusters is getting about 1m
hits a day which is starting to cause a significant jump in conntrack
entries.  My question is do we really need to track those?

I would assume no.  But when I add a NOTRACK rule to the raw table
Apache suddenly fails to serve the pages to external clients.

Here are the rules in question 

(on the raw table)
-A PREROUTING -i eth0 -p tcp -m multiport --dports 80 -j NOTRACK

(on the filter table)
-A FORWARD -d IP's -j  filter_web
-A filter_web -p tcp -m multiport -j ACCEPT --dports http,https

Am I doing something wrong?

Gary Wayne Smith

More information about the netfilter mailing list