Home > Others

iptables configuring Conntrack's Notrack and track

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Iptables itself does not have track target so that you cannot specify a whitelist of packets that need to be processed by the Conntrack module, for example, I would like to implement: except for the source IP is the 192.168.10.0/16 network segment needs to be track, the others do not track.
Of course, you can implement my requirements through the following configuration:
iptables-t raw-a prerouting!-S 192.168.10.0/16-j notrack
... Reverse Notrack Similar,-s swap-D
What if it's a little more complicated? For example, in addition to the source IP restrictions, there are protocols, ports and so on.
Familiar with the access control list design is aware that the "and" operation of the ACL can be implemented in a single rule, while the "or" operation is implemented by a number of rules, so apply to the above-mentioned arbitrarily complex requirements, can be done, even throw away "single and/Multiple or" principle, Simply expanding the Ipset can also be well configured to meet arbitrarily complex requirements with arbitrarily complex rules.
But is there a simpler way? Of course, it is possible to achieve a target that is opposite to Notrack, that is, track target. Its implementation is to remove the untracked conn that have been attached to the SKB. So when I need to add a track whitelist, I can do this:
Iptables-t raw-a prerouting-j Notrack
Iptables-t raw-a prerouting $mt 1 $mt 2 ...-j track # single matches and operations
... # multiple matches or operations
Iptables-t raw-a prerouting $mt ' 1 $mt ' 2 ...-j track
OK, that's it, it's simple.
However, Iptables does not have built-in or operations that are fully compliant with the ACL concept, which, if you want to implement or configure multiple rules, in fact most of the authentication systems are the same idea. Look at the logical judgment of the C language will find the same idea, if it is and operation, the statement is not related to the order, because the final must be computed every statement all over again, if it is an OR operation, the calculation efficiency is related to the order, as long as the "true" value, the calculation can be completed, of course, internal details and implementation Therefore, for and operations, because it is closed, a statement can be included, but or is not closed, you do not know where the calculation will end.

iptables configuring Conntrack's Notrack and track

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
installing and configuring windows server 2012 r2 exam 70 410 installing and configuring windows server 2012 installing and configuring windows server 2012 r2 pdf 70 410 installing and configuring windows server 2012 configuring apache server configuring google analytics man iptables

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More