Книга: Iptables Tutorial 1.2.2

Conntrack match

Conntrack match

The conntrack match is an extended version of the state match, which makes it possible to match packets in a much more granular way. It let's you look at information directly available in the connection tracking system, without any "frontend" systems, such as in the state match. For more information about the connection tracking system, take a look at the The state machine chapter.

There are a number of different matches put together in the conntrack match, for several different fields in the connection tracking system. These are compiled together into the list below. To load these matches, you need to specify -m conntrack.

Table 10-12. Conntrack match options

Match --ctstate
Kernel 2.5 and 2.6
Example iptables -A INPUT -p tcp -m conntrack --ctstate RELATED
Explanation This match is used to match the state of a packet, according to the conntrack state. It is used to match pretty much the same states as in the original state match. The valid entries for this match are:
• INVALID
• ESTABLISHED
• NEW
• RELATED
• SNAT
• DNAT
The entries can be used together with each other separated by a comma. For example, -m conntrack --ctstate ESTABLISHED,RELATED. It can also be inverted by putting a ! in front of --ctstate. For example: -m conntrack ! --ctstate ESTABLISHED,RELATED, which matches all but the ESTABLISHED and RELATED states.
Match --ctproto
Kernel 2.5 and 2.6
Example iptables -A INPUT -p tcp -m conntrack --ctproto TCP
Explanation This matches the protocol, the same as the --protocol does. It can take the same types of values, and is inverted using the ! sign. For example, -m conntrack ! --ctproto TCP matches all protocols but the TCP protocol.
Match --ctorigsrc
Kernel 2.5 and 2.6
Example iptables -A INPUT -p tcp -m conntrack --ctorigsrc 192.168.0.0/24
Explanation --ctorigsrc matches based on the original source IP specification of the conntrack entry that the packet is related to. The match can be inverted by using a ! between the --ctorigsrc and IP specification, such as --ctorigsrc ! 192.168.0.1. It can also take a netmask of the CIDR form, such as --ctorigsrc 192.168.0.0/24.
Match --ctorigdst
Kernel 2.5 and 2.6
Example iptables -A INPUT -p tcp -m conntrack --ctorigdst 192.168.0.0/24
Explanation This match is used exactly as the --ctorigsrc, except that it matches on the destination field of the conntrack entry. It has the same syntax in all other respects.
Match --ctreplsrc
Kernel 2.5 and 2.6
Example iptables -A INPUT -p tcp -m conntrack --ctreplsrc 192.168.0.0/24
Explanation The --ctreplsrc match is used to match based on the original conntrack reply source of the packet. Basically, this is the same as the --ctorigsrc, but instead we match the reply source expected of the upcoming packets. This target can, of course, be inverted and address a whole range of addresses, just the same as the the previous targets in this class.
Match --ctrepldst
Kernel 2.5 and 2.6
Example iptables -A INPUT -p tcp -m conntrack --ctrepldst 192.168.0.0/24
Explanation The --ctrepldst match is the same as the --ctreplsrc match, with the exception that it matches the reply destination of the conntrack entry that matched the packet. It too can be inverted, and accept ranges, just as the --ctreplsrc match.
Match --ctstatus
Kernel 2.5 and 2.6
Example iptables -A INPUT -p tcp -m conntrack --ctstatus RELATED
Explanation This matches the status of the connection, as described in the The state machine chapter. It can match the following statuses.
• NONE - The connection has no status at all.
• EXPECTED - This connection is expected and was added by one of the expectation handlers.
• SEEN_REPLY - This connection has seen a reply but isn't assured yet.
• ASSURED - The connection is assured and will not be removed until it times out or the connection is closed by either end.
This can also be inverted by using the ! sign. For example -m conntrack ! --ctstatus ASSURED which will match all but the ASSURED status.
Match --ctexpire
Kernel 2.5 and 2.6
Example iptables -A INPUT -p tcp -m conntrack --ctexpire 100:150
Explanation This match is used to match on packets based on how long is left on the expiration timer of the conntrack entry, measured in seconds. It can either take a single value and match against, or a range such as in the example above. It can also be inverted by using the ! sign, such as this -m conntrack ! --ctexpire 100. This will match every expiration time, which does not have exactly 100 seconds left to it.

Оглавление книги


Генерация: 0.558. Запросов К БД/Cache: 3 / 0
поделиться
Вверх Вниз