Iptables itself does not have track target so that you cannot specify a whitelist of packets that need to be processed by the Conntrack module, for example, I would like to implement: except for the source IP is the 192.168.10.0/16 network segment needs to be track, the others do not track.
Of course, you can implement my requirements through the following configuration:
iptables-t raw-a prerouting!-S 192.168.10.0/16-j notrack
... Reverse Notrack Similar,-s swap-D
What if it's a little more complicated? For example, in addition to the source IP restrictions, there are protocols, ports and so on.
Familiar with the access control list design is aware that the "and" operation of the ACL can be implemented in a single rule, while the "or" operation is implemented by a number of rules, so apply to the above-mentioned arbitrarily complex requirements, can be done, even throw away "single and/Multiple or" principle, Simply expanding the Ipset can also be well configured to meet arbitrarily complex requirements with arbitrarily complex rules.
But is there a simpler way? Of course, it is possible to achieve a target that is opposite to Notrack, that is, track target. Its implementation is to remove the untracked conn that have been attached to the SKB. So when I need to add a track whitelist, I can do this:
Iptables-t raw-a prerouting-j Notrack
Iptables-t raw-a prerouting $mt 1 $mt 2 ...-j track # single matches and operations
... # multiple matches or operations
Iptables-t raw-a prerouting $mt ' 1 $mt ' 2 ...-j track
OK, that's it, it's simple.
However, Iptables does not have built-in or operations that are fully compliant with the ACL concept, which, if you want to implement or configure multiple rules, in fact most of the authentication systems are the same idea. Look at the logical judgment of the C language will find the same idea, if it is and operation, the statement is not related to the order, because the final must be computed every statement all over again, if it is an OR operation, the calculation efficiency is related to the order, as long as the "true" value, the calculation can be completed, of course, internal details and implementation Therefore, for and operations, because it is closed, a statement can be included, but or is not closed, you do not know where the calculation will end.
iptables configuring Conntrack's Notrack and track