Книга: Iptables Tutorial 1.2.2
Conntrack match
Conntrack match
The conntrack match is an extended version of the state match, which makes it possible to match packets in a much more granular way. It let's you look at information directly available in the connection tracking system, without any "frontend" systems, such as in the state match. For more information about the connection tracking system, take a look at the The state machine chapter.
There are a number of different matches put together in the conntrack match, for several different fields in the connection tracking system. These are compiled together into the list below. To load these matches, you need to specify -m conntrack.
Table 10-12. Conntrack match options
Match | --ctstate |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctstate RELATED |
Explanation | This match is used to match the state of a packet, according to the conntrack state. It is used to match pretty much the same states as in the original state match. The valid entries for this match are: |
• INVALID | |
• ESTABLISHED | |
• NEW | |
• RELATED | |
• SNAT | |
• DNAT | |
The entries can be used together with each other separated by a comma. For example, -m conntrack --ctstate ESTABLISHED,RELATED. It can also be inverted by putting a ! in front of --ctstate. For example: -m conntrack ! --ctstate ESTABLISHED,RELATED, which matches all but the ESTABLISHED and RELATED states. | |
Match | --ctproto |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctproto TCP |
Explanation | This matches the protocol, the same as the --protocol does. It can take the same types of values, and is inverted using the ! sign. For example, -m conntrack ! --ctproto TCP matches all protocols but the TCP protocol. |
Match | --ctorigsrc |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctorigsrc 192.168.0.0/24 |
Explanation | --ctorigsrc matches based on the original source IP specification of the conntrack entry that the packet is related to. The match can be inverted by using a ! between the --ctorigsrc and IP specification, such as --ctorigsrc ! 192.168.0.1. It can also take a netmask of the CIDR form, such as --ctorigsrc 192.168.0.0/24. |
Match | --ctorigdst |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctorigdst 192.168.0.0/24 |
Explanation | This match is used exactly as the --ctorigsrc, except that it matches on the destination field of the conntrack entry. It has the same syntax in all other respects. |
Match | --ctreplsrc |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctreplsrc 192.168.0.0/24 |
Explanation | The --ctreplsrc match is used to match based on the original conntrack reply source of the packet. Basically, this is the same as the --ctorigsrc, but instead we match the reply source expected of the upcoming packets. This target can, of course, be inverted and address a whole range of addresses, just the same as the the previous targets in this class. |
Match | --ctrepldst |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctrepldst 192.168.0.0/24 |
Explanation | The --ctrepldst match is the same as the --ctreplsrc match, with the exception that it matches the reply destination of the conntrack entry that matched the packet. It too can be inverted, and accept ranges, just as the --ctreplsrc match. |
Match | --ctstatus |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctstatus RELATED |
Explanation | This matches the status of the connection, as described in the The state machine chapter. It can match the following statuses. |
• NONE - The connection has no status at all. | |
• EXPECTED - This connection is expected and was added by one of the expectation handlers. | |
• SEEN_REPLY - This connection has seen a reply but isn't assured yet. | |
• ASSURED - The connection is assured and will not be removed until it times out or the connection is closed by either end. | |
This can also be inverted by using the ! sign. For example -m conntrack ! --ctstatus ASSURED which will match all but the ASSURED status. | |
Match | --ctexpire |
Kernel | 2.5 and 2.6 |
Example | iptables -A INPUT -p tcp -m conntrack --ctexpire 100:150 |
Explanation | This match is used to match on packets based on how long is left on the expiration timer of the conntrack entry, measured in seconds. It can either take a single value and match against, or a range such as in the example above. It can also be inverted by using the ! sign, such as this -m conntrack ! --ctexpire 100. This will match every expiration time, which does not have exactly 100 seconds left to it. |
Оглавление статьи/книги
- Addrtype match
- AH/ESP match
- Comment match
- Connmark match
- Conntrack match
- Dscp match
- Ecn match
- Hashlimit match
- Helper match
- IP range match
- Length match
- Limit match
- Mac match
- Mark match
- Multiport match
- Owner match
- Packet type match
- Realm match
- Recent match
- State match
- Tcpmss match
- Tos match
- Ttl match
- Unclean match