Re: Connection states information tables
On Tue, 14 Sep 2004, Lorenzo Rossi wrote:
> i have a question concerning the tables where are maintained the
> informations about the connections state.
> I configured my firewall script with the following lines, to permit the
> SSH traffic originated from the protected zone to go to Internet.
>
> iptables -A TCP_IN -i $INTERFACE -p tcp --sport 22 -m state --state
> ESTABLISHED -J ACCEPT
>
> iptables -A TCP_OUT -o $INTERFACE -p tcp --dport 22 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> The custom chain TCP_IN is listed in the default INPUT chain.
> The custom chain TCP_OUT is listed in the dafault OUTPUT chain.
> The dafault policy for the INPUT and OUTPUT chains, as you can imagine,
> is to DROP.
>
> My question is:
> How many state tables are used? one table for each main chain?
> One for INPUT and one for OUTPUT?
A single hash and not a table contains the connections. When you load in
the ip_conntrack module or it is started by the non-modular kernel, the
maximal number of connections which can be stored in the hash is logged:
% dmesg | grep ip_conntrack
or
# grep ip_conntrack /var/log/kern.log
kernel: ip_conntrack version 2.1 (2043 buckets, 16344 max) - 320 bytes per conntrack
^^^^^^^^^
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
Reply to: