Preface
The ESTABLISHED State http://waringid.blog.51cto.com/65148/512140 In the iptables firewall connection status was discussed earlier ). In addition to this status, iptables is still in the following status, and I will try again later. The network structure of the experiment is accurate.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "531" height = "249" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TKa126-0.jpg" alt = "iptables" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" iptables "/>
NEW
For example, to describe the status of NEW, you first need to know that NEW is not related to the Protocol. It refers to the first packet in each connection, as shown in, the client host uses TCP 50000 to connect to TCP 22 on the server. The status of the first packet in the connection is NEW. For example, the client uses TCP 50001 to connect to TCP 22 on the server; UDP 50000 of the client connects to UDP 53 of the server, and ICMP data packets sent from the client to the server. In the preceding example, the status of the first data packet is NEW.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "438" height = "205" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TKa128-1.jpg" alt = "iptables1" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" iptables1 "/>
RELATED
On Windows, there is a tracert command that can help us detect the total number of routes between two hosts. Its working principle is actually very simple, mainly using the TTL value survival time. The TTL value refers to the time when the data packet can survive on the network. In the early days, the unit is seconds. Now it is changed to "the number of hops that can be crossed ".
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "673" height = "442" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK93W9-2.jpg" alt = "15" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 15 "/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "510" height = "515" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK92625-3.jpg" alt = "11" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 11 "/>
This example shows how the tracert tool queries the number of routers on the leftmost Host1 and rightmost host2. First, the tracert Tool sends the first data packet. The destination address of this data packet is the IP address of the rightmost host, and the TTL value of this data packet is set to 1. Then, this data packet is sent to the first router H1, and the first router H1 will reduce the TTL value in the data packet by 1 after receiving this data packet. Therefore, the TTL value of this data packet changes to 0, and this value indicates that the lifecycle of this data packet is exhausted. Therefore, the first router H1 will discard this data packet and return an ICMPtype 11 Time to live exceeded) the data packet is sent to the Host1 host to tell Host1 that "the data packet you sent has been discarded because its lifecycle has been exhausted ". In this way, tracert can know the IP address of the first router H1 from this packet.
Tracert then sends the second data packet. However, the TTL value of the data packet is deliberately set to 2. Then, the second data packet is sent to the first router H1. After the first router receives the data packet, the TTL is reduced by 1, and the TTL value in the data packet is changed to 1. Because the TTL value is not 0, the lifecycle is not complete. Therefore, the first router H1 will send this packet to the second router H2. However, when H2 of the second vroh2 reduces the TTL value of the data packet by 1, the TTL value in the data packet changes to 0, which indicates that the data packet's lifecycle has been exhausted. Therefore, the second vroh2 H2 will lose this packet and send back an ICMP type 11 Time to live exceeded) to the sender host Host1 to tell Host1 that "the packet you sent has completed its lifecycle, ". In this way, tracert can learn the IP address of the second vroh2 H2 from this packet.
Tracert then sends the third packet. However, the TTL value of the packet is deliberately set to 3. Then, the third packet is sent to the first router H1, after the first router h1 receives the packet, it will reduce its TTL by 1. Then, the TTL value in the packet changes to 2. Because the TTL value is not 0, the lifecycle is not complete. Therefore, the first router H1 will send this packet to the second router H2. However, when h2 of the second router reduces the TTL value of the data packet by 1, the TTL value in the data packet is changed to 1. Because the TTL value is not 0, the lifecycle is not exhausted, the second vroh2 h2 transmits this packet to the third vroh3 H3. When the TTL value in the data packet is reduced by 1 in the third router H3, the TTL value in the data packet is changed to 0, which indicates that the lifecycle of the data packet is exhausted. Therefore, the third router H3 will lose this packet and send back an ICMP type 11 Time to live exceeded) to the sender host Host1 to tell Host1 that "the packet you sent has completed its lifecycle, ". In this way, tracert can learn the IP address of the third router H3 from this packet. Finally, the tracert tool can collect the number of routers on the entire path and the number of IP addresses.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "879" height = "1004" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TKa610-4.jpg" alt = "fig14-1_0" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" fig14-1_0 "/>
After reading the working principle of tracert, we can see what data packet status will be RELATED. For example, "Destination reached!" is returned in the final state !" The status of this data packet is the RELATED state. The data packet in the RELATED State refers to the "passively generated response data packet, and this data packet does not belong to any connected data packet ". For example, the Host1 host sends the TCP packet status 1). Because the lifecycle has been exhausted by router H1, TCP packets are connection-oriented, the ICMP packet that router H1 returns to host 1 is obviously another data connection, and this packet is generated because of the first connection, this packet does not belong to any existing connected data packet.
The preceding example uses an ICMP packet as an example to describe that the data packets in the RELATED status are not RELATED to the Protocol, "As long as the response is returned, it is because one data packet sent from the local machine causes the generation of another connection, and all the data packets connected to this new connection belong to the RELATED state ".
INVALID
INVALID status packages do not belong to ESTABLISHED, NEW, or RELATED. They are usually discarded as malicious packets.
Testing the INVALID status can be achieved through the powerful NMAP scanner. Learn about all possible NMAP access to its home page, which is an open source software that supports Windows platform http://nmap.org /).
You can set the following command.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "1089" height = "46" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK93c2-5.jpg" alt = "05" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 05 "/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "505" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK91329-6.gif" alt = "nmapterm" style = "border: 0px none;" title = "nmapterm"/>
For the connection status of the TCP/IP protocol, refer to RFC 793 http://www.ietf.org/rfc/rfc793.txt), note that the connection status of the Protocol and the four connection States of iptables cannot be confused, that is not the same concept.
Tcp syn scanning is relatively unpublicized and hard to be noticed because it never completes the TCP connection. Unlike Fin/Null/Xmas, Maimon and Idle scan depend on specific platforms and can cope with any compatible TCP protocol stack. It can also clearly distinguish between open (open), closed (closed), and filtered (filtered) states. It is often called semi-open scanning, because it does not open a full TCP connection. It sends a SYN packet, just as you really want to open a connection and wait for a response. SYN/ACK indicates that the port is being monitored (open), and RST indicates that no listener is monitored. If the port does not respond after repeated sending, the port is marked as filtered. If an ICMP inaccessible error (Type 3, code, 10, or 13) is received, the port is also marked as filtered.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "301" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK95S2-7.jpg" alt = "screenshot" style = "border: 0px none;" title = "screenshot"/>
NEW status test
For more information about the test environment, see the connection status of the state module in iptables http://waringid.blog.51cto.com/65148/512140 ).
The IP address of the test1 host is 11.0.0.200, And the ssh service is enabled. The firewall settings are as follows:
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "127" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK94Y7-8.jpg" alt = "11" style = "border: 0px none;" title = "11"/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "404" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK92009-9.jpg" alt = "01" style = "border: 0px none;" title = "01"/>
The IP address of the test2 host is 173.16.0.200, and iptables is set to block the output chain. In this case, ping the gateway and use ssh to connect to the test1 host. As follows:
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "161" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK96308-10.jpg" alt = "16" style = "border: 0px none;" title = "16"/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "404" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TKa246-11.jpg" alt = "12" style = "border: 0px none;" title = "12"/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "404" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK92437-12.jpg" alt = "06" style = "border: 0px none;" title = "06"/>
You can see that the test1 host cannot be pinged after the preceding command is executed, and you can check the result after the NEW status is enabled, as shown below:
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "194" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK93U5-13.jpg" alt = "17" style = "border: 0px none;" title = "17"/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "404" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK942B-14.jpg" alt = "09" style = "border: 0px none;" title = "09"/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "404" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK95W6-15.jpg" alt = "10" style = "border: 0px none;" title = "10"/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "404" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TKa1V-16.jpg" alt = "13" style = "border: 0px none;" title = "13"/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "404" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK9B23-17.jpg" alt = "14" style = "border: 0px none;" title = "14"/>
You can see that after the preceding command is executed, You can normally obtain system-related service requests. This proves that iptables has performed the correct interception operation.
RELATED Test
The structure is the same as that in the tests above. The test1 host opens all services, and the test2 host 173.16.0.200) makes the following settings. When the traceroute command is executed, the correct data packet cannot be returned:
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "130" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK92D9-18.jpg" alt = "18" style = "border: 0px none;" title = "18"/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "404" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK93120-19.jpg" alt = "02" style = "border: 0px none;" title = "02"/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "404" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK96431-20.jpg" alt = "03" style = "border: 0px none;" title = "03"/>
View the results after the RELATED status is enabled, as shown in:
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "159" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TKa233-21.jpg" alt = "19" style = "border: 0px none;" title = "19"/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "404" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0TK91020-22.jpg" alt = "04" style = "border: 0px none;" title = "04"/>
We can see that traceroute can return the correct result after setting, but the ping and ssh operations are unsuccessful, which is also a feature of RELATED.
There are various applications for the four statuses of iptables. Here we just briefly describe the environment applicable to each status, and the specific applications will have the opportunity to release them again.
This article is from the "virtual reality" blog. For more information, contact the author!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
