NOTRACK action question

/dev/rob0 rob0 at gmx.co.uk
Wed Aug 24 23:34:00 CEST 2005


On Wednesday 2005-August-24 13:23, Gary W. Smith wrote:
> We are NAT'ing an IP range to a set of internal Apache servers. 
> Looking into the conntrack table we are seeing a bunch of entries on
> port 80, which make sense.  One of the web server clusters is getting
> about 1m hits a day which is starting to cause a significant jump in
> conntrack entries.  My question is do we really need to track those?

It would depend on your configuration. Oh you said NAT, DNAT I guess. 
IIUC DNAT does depend on connection tracking. Perhaps you should put 
your Apache reservation in a routed (not DNAT'ed) subnet.

> I would assume no.  But when I add a NOTRACK rule to the raw table
> Apache suddenly fails to serve the pages to external clients.

Then your assumption would seem to be in error.

> Am I doing something wrong?

If it's not working, and you want it to work, yes. :)
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header



More information about the netfilter mailing list