{{tag>[centos7 linux ntp high traffic]}}
=====CentOS 7 - high traffic NTP and netfilter=====
The default firewalld ntp service uses connection tracking. Something you don't want when managing high traffic. This page describes how to disable connection tracking.
{{::nf_conntrack.png?nolink|nf_contrack count percentage}}\\
//NF connection tracking list in percentage, before and after.//
* Default firewalld NTP service rule: -A IN_public_allow -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
* Show conntrack count:# sysctl -a | egrep "conntrack_max|conntrack_count"
net.netfilter.nf_conntrack_count = 13362
net.netfilter.nf_conntrack_max = 65536
====Configure legacy iptables scripts====
In the following steps I will disable firewalld and use the legacy iptables scripts.
* Install iptables-services:yum install iptables-services
* Configure iptables, edit /etc/sysconfig/iptables, check if sshd is allowed... # Generated by iptables-save v1.4.21 on Tue Aug 25 15:27:32 2015
*mangle
:PREROUTING ACCEPT [19:1444]
:INPUT ACCEPT [19:1444]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19:1444]
:POSTROUTING ACCEPT [19:1444]
COMMIT
# Completed on Tue Aug 25 15:27:32 2015
# Generated by iptables-save v1.4.21 on Tue Aug 25 15:27:32 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Aug 25 15:27:32 2015
# Generated by iptables-save v1.4.21 on Tue Aug 25 15:27:32 2015
*raw
:PREROUTING ACCEPT [12:912]
:OUTPUT ACCEPT [11:836]
-A PREROUTING -p udp -m udp --dport 123 -j CT --notrack
-A OUTPUT -p udp -m udp --sport 123 -j CT --notrack
COMMIT
# Completed on Tue Aug 25 15:27:32 2015
# Generated by iptables-save v1.4.21 on Tue Aug 25 15:27:32 2015
*nat
:PREROUTING ACCEPT [5:380]
:INPUT ACCEPT [5:380]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
COMMIT
# Completed on Tue Aug 25 15:27:32 2015
* Stop and disable firewalld:systemctl disable firewalld
systemctl stop firewalld
systemctl status firewalld
* Start iptables service:systemctl enable iptables
systemctl start iptables
* Check conntrack count:# sysctl -a | egrep "conntrack_max|conntrack_count"
net.netfilter.nf_conntrack_count = 2
net.netfilter.nf_conntrack_max = 65536
====Disable connection tracking in RouterOS (Mikrotik)====
* Add [[http://wiki.mikrotik.com/wiki/Manual:Fast_Path|fasttrack action]] before accepting connection.