Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools

Trace: centos7_firewall_high_traffic_ntp
centos7_firewall_high_traffic_ntp

Table of Contents

, , , ,

CentOS 7 - high traffic NTP and netfilter

The default firewalld ntp service uses connection tracking. Something you don't want when managing high traffic. This page describes how to disable connection tracking.

nf_contrack count percentage
NF connection tracking list in percentage, before and after.

  • Default firewalld NTP service rule: 
    -A IN_public_allow -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
  • Show conntrack count:
    # sysctl -a | egrep "conntrack_max|conntrack_count"
net.netfilter.nf_conntrack_count = 13362
net.netfilter.nf_conntrack_max = 65536

Configure legacy iptables scripts

In the following steps I will disable firewalld and use the legacy iptables scripts.

  • Install iptables-services:
    yum install iptables-services
  • Configure iptables, edit /etc/sysconfig/iptables, check if sshd is allowed… 
    # Generated by iptables-save v1.4.21 on Tue Aug 25 15:27:32 2015
*mangle
:PREROUTING ACCEPT [19:1444]
:INPUT ACCEPT [19:1444]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19:1444]
:POSTROUTING ACCEPT [19:1444]
COMMIT
# Completed on Tue Aug 25 15:27:32 2015
# Generated by iptables-save v1.4.21 on Tue Aug 25 15:27:32 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Aug 25 15:27:32 2015
# Generated by iptables-save v1.4.21 on Tue Aug 25 15:27:32 2015
*raw
:PREROUTING ACCEPT [12:912]
:OUTPUT ACCEPT [11:836]
-A PREROUTING -p udp -m udp --dport 123 -j CT --notrack
-A OUTPUT -p udp -m udp --sport 123 -j CT --notrack
COMMIT
# Completed on Tue Aug 25 15:27:32 2015
# Generated by iptables-save v1.4.21 on Tue Aug 25 15:27:32 2015
*nat
:PREROUTING ACCEPT [5:380]
:INPUT ACCEPT [5:380]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
COMMIT
# Completed on Tue Aug 25 15:27:32 2015
  • Stop and disable firewalld:
    systemctl disable firewalld
systemctl stop firewalld
systemctl status firewalld
  • Start iptables service:
    systemctl enable iptables 
systemctl start iptables
  • Check conntrack count:
    # sysctl -a | egrep "conntrack_max|conntrack_count"
net.netfilter.nf_conntrack_count = 2
net.netfilter.nf_conntrack_max = 65536

Disable connection tracking in RouterOS (Mikrotik)

centos7_firewall_high_traffic_ntp.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1