Iptables Status Detection

Iptables Status Detection

Iptables State detection is an explicit extension in an extended match that detects the connection between sessions, and with detection we can extend the functionality between sessions.

What is stateful inspection?

Each established connection includes the following information: Source IP address, destination IP address, source port, and destination port, which is called a pair of socket pairs (sockets); Information such as protocol type, connection status (TCP protocol), and time-out. The firewall called this information status (stateful), can detect each connection state of the firewall is called stateful detection packet filtering firewall, in addition to the simple packet filtering firewall to complete packet filtering work, but also in their own memory to maintain a tracking connection status of the table, Greater security than simple packet filtering firewalls.

For the entire TCP protocol, it is a connected protocol,

In the three-time handshake of TCP:

NEW: A request made by the client for the first time when a newly established connection is connected, and no corresponding entry is in the connection tracking template; (The first handshake in a TCP three-second handshake)

After the Established:new state, the communication process that was made before the entry in the margin tracking template was deleted is called established; (TCP's second third handshake, called established Connection (established))

INVALID: There is a state, more bizarre, such as: Syn=1 ack=1 rst=1, for this we do not recognize, we call INVALID unrecognized

Related: Indicates that a new connection is initiated, but this connection is related to an existing connection

-M State extension

Enable the connection tracking template to record the connection and match the extension of the connection status according to the connection;

Dedicated options:

--state State

Example: releasing a service that accesses the native 22,80 port

# iptables-t filter-i input-d 172.16.6.61-p tcp-m multiport--dports 22,80-m State--state new,established-j ACCEPT

# iptables-t Filter-ioutput-s 172.16.6.61-p tcp-m State--state new,established-j ACCEPT

Adjust the maximum number of connections that the connection tracking function can hold:

/proc/sys/net/nf_conntrack_max

all connections currently being traced:

/proc/net/nf_conntrack

[Email protected] ~]# Cat/proc/net/nf_conntrack

IPv4 2 TCP 6 time_wait src=172.16.6.62 dst=172.16.6.61 sport=41644 dport=22 src=172.16.6.61dst=172.16.6.62 Spor T=22 dport=41644 [assured] mark=0 secmark=0 use=2

IPv4 2 ICMP 1 src=172.16.6.62 dst=172.16.6.61 type=8 code=0 id=20325src=172.16.6.61 dst=172.16.6.62 type=0 code= 0 id=20325 mark=0 secmark=0 use=2

IPv4 2 TCP 6 299 established src=172.16.6.61dst=172.16.6.11 sport=22 dport=63572 src=172.16.6.11 dst=172.16.6.61s port=63572 dport=22 [assured] mark=0 secmark=0 use=2

Conntrack

See if the Conntrack module is loaded

[Email protected] ~]# Lsmod | Grepnf_conntrack

Nf_conntrack_ipv4 9506 4

Nf_defrag_ipv4 1483 1 Nf_conntrack_ipv4

Nf_conntrack 80390 2 Nf_conntrack_ipv4,xt_state

In high concurrency, it is recommended to uninstall the module or increase the maximum number of connections for the module

[Email protected] ~]# Modprobe-rnf_conntrack

[Email protected] ~]# modprobe-r Nf_conntrack_ipv4

[Email protected] ~]# Modprobe-rnf_defrag_ipv4

Time-length properties when tracking different protocols or connection types:

/proc/sys/net/netfilter/

How to release the FTP service in passive mode:

(1) loading module:

# modprobe Nf_conntrack_ftp

(2) release Request message

The request message of releasing the inbound request port is 21;

Release inbound messages with all States in established and related States;

(3) release of outbound response messages

Releasing all outbound messages with established status;

How to save and reload rules:

Save:

(1) Service Iptables Save

/etc/sysconfig/iptables documents;

(2) Iptables-save >/path/to/somefile

This article is from the "Stupid Kid" blog, please make sure to keep this source http://1066875821.blog.51cto.com/2375046/1650424

Iptables Status Detection