Could not read info about connections from the kernel, make sure netfilter is enabled in kernel or by modules

Hi,

I am trying this page of yours
https://www.cyberciti.biz/faq/display-iptables-router-nat-connections-using-netstat-nat/

I installed the tool

sudo apt install netstat-nat

Then I try to get list of all Natted / Routed conections

sudo netstat-nat

But getting this error on my putty.exe session:

Could not read info about connections from the kernel, make sure netfilter is enabled in kernel or by modules.

What and how am I supposed to view NATed connection on Ubuntu Linux? Please help.

You need to use the following command:

conntrack

Or an updated version of netstat-nat is needed.

1 Like

I will try conntrack command.

You may end up with:

Command ‘conntrack’ not found

Install conntrack on your Ubuntu or Debian server

sudo apt install conntrack

How to install conntrack on your CentOS or RHEL server

sudo dnf install conntrack-tools

Quick help

conntrack provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel. Using conntrack , you can dump a list of all (or a filtered selection of) currently tracked connections, delete connections from the state table, and even add new ones.

conntrack -L 
conntrack -h
Command line interface for the connection tracking system. Version 1.4.4
Usage: conntrack [commands] [options]

Commands:
  -L [table] [options]		List conntrack or expectation table
  -G [table] parameters		Get conntrack or expectation
  -D [table] parameters		Delete conntrack or expectation
  -I [table] parameters		Create a conntrack or expectation
  -U [table] parameters		Update a conntrack
  -E [table] [options]		Show events
  -F [table]			Flush table
  -C [table]			Show counter
  -S				Show statistics

Tables: conntrack, expect, dying, unconfirmed

Conntrack parameters and options:
  -n, --src-nat ip			source NAT ip
  -g, --dst-nat ip			destination NAT ip
  -j, --any-nat ip			source or destination NAT ip
  -m, --mark mark			Set mark
  -c, --secmark secmark			Set selinux secmark
  -e, --event-mask eventmask		Event mask, eg. NEW,DESTROY
  -z, --zero 				Zero counters while listing
  -o, --output type[,...]		Output format, eg. xml
  -l, --label label[,...]		conntrack labels

Expectation parameters and options:
  --tuple-src ip	Source address in expect tuple
  --tuple-dst ip	Destination address in expect tuple

Updating parameters and options:
  --label-add label	Add label
  --label-del label	Delete label

Common parameters and options:
  -s, --src, --orig-src ip		Source address from original direction
  -d, --dst, --orig-dst ip		Destination address from original direction
  -r, --reply-src ip		Source addres from reply direction
  -q, --reply-dst ip		Destination address from reply direction
  -p, --protonum proto		Layer 4 Protocol, eg. 'tcp'
  -f, --family proto		Layer 3 Protocol, eg. 'ipv6'
  -t, --timeout timeout		Set timeout
  -u, --status status		Set status, eg. ASSURED
  -w, --zone value		Set conntrack zone
  --orig-zone value		Set zone for original direction
  --reply-zone value		Set zone for reply direction
  -b, --buffer-size		Netlink socket buffer size
  --mask-src ip			Source mask address
  --mask-dst ip			Destination mask address

Read the useful man page:

man conntrack