Connection Tracking Subsystem¶
links: SPA TOC - Linux Firewall - Index
Overview¶
- the Connection tracking subsystem of netfilter enables the tracking of state information of connections in a kernel table (connection tracking table)
- this allows the build of stateful packet filtering firewalls
- on older systems the table was overlaid to
/proc/net/nf_conntrack
, on more recent systems there is an API which can be used to query/modify the table - the utility IP tables state
ipstate
can be used to query and display the table
Adding entries¶
- the entries in the table are added by packets running through the
PREROUTING
chain and theOUTPUT
chain respectively - this happens before the iptables rules get activated
- source and destination NAT are mapped in the table too
Example entries of /proc/net/nf_conntrack¶
State examination¶
The state of connections can be examined using iptables match extensions conntrack
:
NEW
: the packet has started a new connectionESTABLISHED
: the packet is associated with an established connection, both directionsRELATED
: new connection created as a result of an associated connection (e.g. FTP data connection)INVALID
: the packet is associated with no known connectionSNAT
: virtual state, matching if the original source address differs from the reply destinationDNAT
: virtual state, matching if the original destination differs from the reply source- ...
links: SPA TOC - Linux Firewall - Index