In general we should DROP the package of this state. This could be due to insufficient system memory or an ICMP error message that does not belong to any known connection. INVALIDINVALID matches packets that are unrecognizable or have no status.
Their connections are encapsulated in the data portion of other TCP or UDP packets (you can understand overlay/vxlan/gre), which makes conntrack need to use other auxiliary modules to be correct." Read these complex data packages, such as the nf_conntrack_ftp auxiliary module. Some TCP and UDP protocols that rely on this mechanism are very complex. With the RELATED state, ICMP error messages, FTP transfers, DCCs, etc. In the case of ftp, the FTP data transfer connection is RELATED with the previously created FTP control connection, as well as the DCC connection via IRC. Of course, the conntrack module must first "read" that it is RELATED. This new connection is in the RELATED state. This ESTABLISHED connection then creates a new connection outside of the main connection. This means that in order for a connection to be RELATED, you must first have a connection that is already ESTABLISHED. The RELATED state is a bit complicated, and when a connection is related to another connection that is already ESTABLISHED, the connection is considered to be RELATED. RELATEDRELATED matches those packages that belong to the RELATED connection, which is the same as saying nothing. ICMP error and redirection packets are also considered to be ESTABLISHED as long as they are responses to the information we send. This feature allows iptables to control who initiated the connection before it can pass, for example, A and B communicate, A sends B packets to NEW state, and B replies to A packets to ESTABLISHED state. Therefore, in the iptables state, as long as the response is sent and received, the connection is considered to be ESTABLISHED. This means that iptables finds from the connection tracking table that the packet belongs to a connection that has received a response (that is, there is no field). Judging that this package is the first package of a connection is based on conntrack current "only see one direction packet" (), not associated with a specific protocol, so NEW does not refer to the SYN packet connected by tcp.ĮSTABLISHEDESTABLISHED matches the response packet of the connection and subsequent packets. This means that iptables finds from the connection tracking table that this package is the first package of a connection. NEW:NEW matches the first package of the connection. For the higher layer applications, there are few at the time, and naturally there is no need to pay too much attention to protection.Ĭonntrack stores information in the memory structure, including IP, port, protocol type, status, and timeout.Īnd conntrack can not only track the status of TCP stateful sessions, but also track the status of UDP.Ĭonntrack itself does not filter packets, but instead provides a filter based on state and relationship.Ĭonntrack defines five connection states, as follows: Of course, from the historical point of view, the packet filtering firewall is in line with the development needs at that time, and the efficiency is also higher. Stateless firewalls are not able to detect and track DoS. This paper attempts to analyze and understand the mechanism of conntrack.Īfter years of development of packet filtering firewalls based on header information (IP, ports, etc.), the demand for firewalls has gradually increased. It is the basis of a stateful firewall based on Linux system, and it is also a means for NAT to complete the conversion of related packages. In the netfilter system, the state tracking mechanism (conntrack) is an important part. 0x 04 conntrack creation and query processĠx 01 state firewall and link tracking systemĪfter knowing and being familiar with iptables, I am even more impressed by the majestic and vastness of netfilter.0x 01 state firewall and link tracking system.Understanding of the conntrack mechanism in Netfilter
0 kommentar(er)
