State detection mechanism of iptables

1. What is State detection

Each network connection includes the following information: Source address, Destination address, source port and destination port, called socket pair (socket pairs), protocol type, connection state (TCP protocol), timeout time, and so on. The firewall is called the state (stateful), and the firewall that detects each connection state is called the stateful packet filtering firewall. In addition to being able to complete the packet filtering work of a simple packet filtering firewall, it maintains a table in its own memory that tracks the connection state, which is more secure than a simple packet filtering firewall.

Stateful detection in Iptables is implemented by the State option. For this option, the following description is available in the Iptables hand album:

State

This module is able to track the connection status of a group (i.e. state detection).

--state State

Here, state is a comma-separated list that represents the connection status to match. Valid status options include: Invaild, which indicates that the connection to the packet is unknown; established, which means that the connection to the packet has been transferred in two directions, that is, the connection has been established; NEW, which means that the group needs to initiate a connection, or that Packet-connected connections have not been grouped in two directions; RELATED, which means that the group will initiate a new connection, but this connection is related to an existing connection, for example: the FTP data transfer connection and the control connection are RELATED relationships.

For locally generated groupings, the status of the connection can be tracked in the prerouting or output chain. Before state detection, you need to reorganize the grouped fragments. This is why the ipchains Ip_always_defrag switch is no longer used in iptables.

The status table for UDP and TCP connections is maintained by/proc/net/ip_conntrack. We'll explain what it's about later.

The maximum number of connections that the state table can hold is saved in/proc/sys/net/ipv4/ip_conntrack_max. It depends on the physical memory of the hardware.

How does a 2.iptables state check work?

2.1.iptables Overview

Before we discuss iptables state detection, we'll look at the entire NetFilter framework. If you want to forward a grouping between two network interfaces, the grouping receives checks for the chain of rules in the following order:

Prerouting Chain

If necessary, the destination network address translation (Dnat) and mangle processing for this group. At the same time, the iptables State detection mechanism reorganizes the grouping and tracks its status in one of the following ways:

Whether the grouping matches an already implemented (established) connection in the State table.

Whether it is an ICMP grouping associated with a UDP/TCP connection (RELATED) in the state table.

Whether this group will initiate a new (a) connection.

If the grouping is not related to any connection, it is considered invalid (INVALID).

Forward chain

Match the status of the group to the rules in the filter table, and if the group does not match all of the rules, use the default policy for processing.