search

anitsh / til

Today I Learn (til) - Github `Issues` used as daily learning management system for taking notes and storing resource links.
https://anitshrestha.com.np
MIT License
78 stars 11 forks source link

conntrack: command line interface for netfilter connection tracking #594

Open anitsh opened 3 years ago

anitsh commented 3 years ago

What are the conntrack-tools?

The conntrack-tools are a set of free software userspace tools for Linux that allow system administrators interact with the Connection Tracking System, which is the module that provides stateful packet inspection for iptables. The conntrack-tools are the userspace daemon conntrackd and the command line interface conntrack.

Why use the conntrack-tools?

The userspace daemon conntrackd can be used to enable high availability of cluster-based stateful firewalls and to collect statistics of the stateful firewall use (although ulogd is the preferred option for logging). The command line interface conntrack provides a more flexible interface than the traditional /proc/net/nf_conntrack interface.

What can do the conntrack-tools for me?

The daemon conntrackd covers the specific aspects of stateful Linux firewalls to enable high availability solutions and it can be used as statistics collector of the firewall use as well. The command line interface conntrack provides an interface to add, delete and update flow entries, list current active flows in plain text/XML, current IPv4 NAT'ed flows, reset counters atomically, flush the connection tracking table and monitor connection tracking events among many other.

So, does conntrackd provides an equivalent of OpenBSD's pfsync?

In short, yes. The daemon conntrackd synchronizes the states among several replica firewalls, so you can deploy failover setups with stateful Linux firewalls. However, conntrackd follows different principle designs with regards to OpenBSD's pfsync so they are not strictly equivalent.

Why use the command line tool conntrack instead of /proc/net/ip_conntrack?

There are several good reasons to do so. The /proc interface offers a quite limited interface to the Connection Tracking System since it only allows you to dump current active network flows. Instead, conntrack allows you to update network flows without adding a new iptables rule, e.g. update the conntrack mark, or dump the connection tracking table in XML format. Moreover, using the /proc interface to dump the connection tracking table under very busy firewalls, i.e. those with tons of connection states, harms performance. Specifically, this becomes a problem if you poll from the /proc interface to get firewall statistics. Also, conntrack offers connection events monitoring which a feature that the /proc interface does not provide.

Can I use conntrack to "cut" established TCP connections?

In short, yes. You can use conntrack to delete the state-entry that represents an established TCP connection without adding an iptables rule. With the appropriate rule-set, the packets of that TCP connections would be blocked and the client will experience a connection hang. Moreover, since conntrack is not dependent of the layer 4 protocol, you can use it to remove other non-TCP entries to obtain the similar described behaviour.

This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel.

SYNOPSIS

conntrack -L [table] [options] [-z] conntrack -G [table] parameters conntrack -D [table] parameters conntrack -I [table] parameters conntrack -U [table] parameters conntrack -E [table] [options] conntrack -F [table] conntrack -C [table] conntrack -S

Resource

anitsh commented 3 years ago

Killing tcp connection ss -K dst 192.168.1.214 dport = 49029

https://unix.stackexchange.com/questions/71940/killing-tcp-connection-in-linux