10 Replies Latest reply on Dec 9, 2016 12:14 PM by PabloM_Intel

    nf_conntrack on edison?

    joe-iot

      Hello All - Has anyone had luck getting nf_conntrack to work in poky? I am trying to set limits in IPTables (gotta stop the Mirai botnet )

       

      Here is some troubleshooting:

      root@ed-wr1:~# uname- a
      Linux ed-wr1 3.10.98-poky-edison+ #1 SMP PREEMPT Mon Jun 6 14:32:08 PDT 2016 i686 GNU/Linux
      
      wr1:~# opkg install conntrack-tools
      Installing conntrack-tools (1.4.0-r0) on root.
      
      root@ed-wr1:~# iptables -L -n 
      Chain INPUT (policy ACCEPT)
      target     prot opt source               destination         
      ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
      ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
      ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
      ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
      ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
      ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
      REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
      
      Chain FORWARD (policy ACCEPT)
      target     prot opt source               destination         
      REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
      
      Chain OUTPUT (policy ACCEPT)
      target     prot opt source               destination  
      
      root@ed-wr1:~# opkg install conntrack-tools
      Installing conntrack-tools (1.4.0-r0) on root.
      
      root@ed-wr1:~# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
      iptables: No chain/target/match by that name.
      

       

      I beleive the module exists:

       some file system proof:
      /sys/module/nf_conntrack
      /proc/1/net/nf_conntrack
      /proc/1/net/stat/nf_conntrack
      
      
      root@ed-wr1:~# cat /proc/1/net/nf_conntrack
      ipv4     2 tcp      6 431999 ESTABLISHED src=10.0.1.5 dst=10.0.1.18 sport=52316 dport=22 src=10.0.1.18 dst=10.0.1.5 sport=22 dport=52316 [ASSURED] mark=0 use=2
      
      Trying to load the module gives no erorrs(but not showing in lsmod)
      
      root@ed-wr1:~# modprobe nf_conntrack
      root@ed-wr1:~# lsmod
      Module                  Size  Used by
      usb_f_acm              14335  1 
      u_serial               18582  6 usb_f_acm
      g_multi                70924  0 
      libcomposite           39238  2 usb_f_acm,g_multi
      bcm_bt_lpm             13708  0 
      bcm4334x              587105  0 
      
      

       

      I'd appreciate any help.

       

      Cheers,

      -Joe

       

      PS If you want to get started with a firewall for the edison I put a basic config here: https://github.com/joemcmanus/edisonFW

      GitHub - joemcmanus/edisonFW: A basic firewall config for the Intel Edison (Poky)