I tried the command conntrack -L and it returns nothing when I have a ping www.google.com running.
I also tried to load the module by modprobe nf_conntrack. But it still always returns conntrack v1.0.0 (conntrack-tools): 0 flow entries have been shown.
Any one know what would be the solution?
Try adding iptables rules with conntrack states for ex:
iptables -A INPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
It worked for me.
The conntrack tool won't return a flow because, by the time your ping command has ended the flow has been terminated.
Create a persistent TCP connection to something on the Internet and do a conntrack -L and you'll see a flow. You could also send some ping requests to an Internet host that doesn't respond-- you'll see a flow created (waiting for the ICMP echo replies that will never come) that way, too.
adding iptables rules worked,and nftables is instead of the legacy {ip,ip6,arp,eb}_tables (xtables) infrastructure.
for nftables you can do it like this:
add ct state rule to a type filter hook input chain
nft add table inet filter_example
nft add chain inet filter_example input_example {type filter hook input priority filter\; policy accept\;}
nft add rule inet filter_example input_example ct state established,related accept
