Iptables configure NOTRACK and TRACK of conntrack

Iptables configure NOTRACK and TRACK of conntrack

Iptables itself does not have a TRACK target, so you cannot specify the whitelist of data packets to be processed by the conntrack module. For example, I want to achieve this: Besides the need to be tracked when the source IP address is 192.168.10.0/16, do not track others.

Of course, you can achieve your needs through the following Configuration:

Iptables-t raw-a prerouting! -S 192.168.10.0/16-j NOTRACK

... Similar to NOTRACK,-s for-d

What if it is more complex? For example, in addition to source IP address restrictions, there are also protocols and ports.

All users familiar with Access Control List Design know that ACL "and" operations can be implemented in a single rule, while "or" operations are implemented by multiple rules, therefore, all the above complicated requirements can be fulfilled, and even the "single and multiple or" principles can be put aside, you can configure any complicated rules to meet any complicated requirements.

But is there a simpler way? Of course, there is a target opposite to NOTRACK, that is, the TRACK target. Its implementation is to clear untracked conn that has been attached to skb. In this way, when I need to add a track white list, I can do this:

Iptables-t raw-a prerouting-j NOTRACK

Iptables-t raw-a prerouting $ mt1 $ mt2...-j TRACK # single matches AND Operation

... # Multiple matches OR operations

Iptables-t raw-a prerouting $ mt ''1 $ mt ''2...-j TRACK

OK. That's it. It's very simple.

However, if iptables does not have built-in OR operations, it fully complies with the ACL concept. In this concept, if you want to implement OR, multiple rules are configured. In fact, most authentication systems share this idea. Looking at the logic judgment in the C language, we will find the same idea. If it is an AND operation, the one-by-one statements are irrelevant to the order, because each statement must be calculated once. If it is an OR operation, the computing efficiency is related to the order. As long as the value reaches the "true", the calculation will end. Of course, the internal details are related to the implementation. Therefore, for the AND operation, because it is closed, a statement can be included, but the OR operation is not closed, AND you do not know where the computation will end.

-------------------------------------- Split line --------------------------------------

Iptables examples

Iptables-packet filtering (Network Layer) Firewall

Linux Firewall iptables

Iptables + L7 + Squid implements a complete software firewall

Basic use of iptables backup, recovery, and firewall scripts

Detailed description of firewall iptables usage rules in Linux

-------------------------------------- Split line --------------------------------------

This article permanently updates the link address: