runsisi's

technical notes

conntrack

2020-01-04 runsisi#tcp/ip

启用 conntrack

启用 conntrack(如果使用 iptables 用到了 conntrack 相关的模块,则会自动加载该内核模块):

# modprobe nf_conntrack_ipv4

查看连接信息

# cat /proc/net/nf_conntrack
ipv4     2 tcp      6 431999 ESTABLISHED src=10.0.2.2 dst=10.0.2.15 sport=58994 dport=22 src=10.0.2.15 dst=10.0.2.2 sport=22 dport=58994 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
ipv4     2 tcp      6 431938 ESTABLISHED src=10.0.2.2 dst=10.0.2.15 sport=43708 dport=22 src=10.0.2.15 dst=10.0.2.2 sport=22 dport=43708 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
# conntrack -L
tcp      6 431999 ESTABLISHED src=10.0.2.2 dst=10.0.2.15 sport=58994 dport=22 src=10.0.2.15 dst=10.0.2.2 sport=22 dport=58994 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 431882 ESTABLISHED src=10.0.2.2 dst=10.0.2.15 sport=43708 dport=22 src=10.0.2.15 dst=10.0.2.2 sport=22 dport=43708 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
conntrack v1.4.4 (conntrack-tools): 3 flow entries have been shown.

设置超时参数

conntrack 中的连接超时参数可以通过 /proc/sys/net/netfilter/ 下的 nf_conntrack_*_timeout_* 系统选项进行配置,也可以使用 nfct 命令创建定时策略:

# nfct default-get timeout inet tcp
        .l3proto = 2,
        .l4proto = 6,
        .policy = {
                .SYN_SENT = 120,
                .SYN_RECV = 60,
                .ESTABLISHED = 432000,
                .FIN_WAIT = 120,
                .CLOSE_WAIT = 60,
                .LAST_ACK = 30,
                .TIME_WAIT = 120,
                .CLOSE = 10,
                .SYN_SENT2 = 120,
                .RETRANS = 300,
                .UNACKNOWLEDGED = 300,
        },
};
# nfct default-get timeout inet udp
        .l3proto = 2,
        .l4proto = 17,
        .policy = {
                .UNREPLIED = 30,
                .REPLIED = 180,
        },
};
# nfct default-get timeout inet icmp
        .l3proto = 2,
        .l4proto = 1,
        .policy = {
                .TIMEOUT = 30,
        },
};

然后应用到 iptables CT 目标上进行更精细的连接超时控制:

# nfct add timeout udp-policy1 inet udp REPLIED 300
# nfct list timeout
.udp-policy1 = {
        .l3proto = 2,
        .l4proto = 17,
        .policy = {
                .UNREPLIED = 30,
                .REPLIED = 300,
        },
};
# iptables -t raw -A PREROUTING -p udp -m udp -j CT --timeout udp-policy1
# iptables -t raw -S
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -p udp -m udp -j CT --timeout udp-policy1

观察网络连接

新建 UDP 连接(以 UDP 为例),并进行数据交互:

// server
# nc -v -u -l 192.168.34.11 8888
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on 192.168.34.11:8888
Ncat: Connection from 192.168.34.12.
hello, from client
hello, from server
hello, from client
// client
# nc -v -u 192.168.34.11 8888
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.34.11:8888.
hello, from client
hello, from server
hello, from client

查看连接信息:

// on server node
# conntrack -L -p udp
udp      17 13 src=192.168.34.12 dst=192.168.34.11 sport=46067 dport=8888 [UNREPLIED] src=192.168.34.11 dst=192.168.34.12 sport=8888 dport=46067 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
conntrack v1.4.4 (conntrack-tools): 1 flow entries have been shown.
# conntrack -L -p udp
udp      17 27 src=192.168.34.12 dst=192.168.34.11 sport=46067 dport=8888 src=192.168.34.11 dst=192.168.34.12 sport=8888 dport=46067 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
conntrack v1.4.4 (conntrack-tools): 1 flow entries have been shown.
# conntrack -L -p udp
udp      17 297 src=192.168.34.12 dst=192.168.34.11 sport=46067 dport=8888 src=192.168.34.11 dst=192.168.34.12 sport=8888 dport=46067 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
conntrack v1.4.4 (conntrack-tools): 1 flow entries have been shown.

参考资料

nfct README

https://git.netfilter.org/conntrack-tools/tree/README.nfct

kernel documentation of nf_conntrack sysctl

https://www.kernel.org/doc/Documentation/networking/nf\_conntrack-sysctl.txt

details of /proc/net/ip_conntrack / nf_conntrack

https://stackoverflow.com/questions/16034698/details-of-proc-net-ip-conntrack-nf-conntrack

Format of /proc/net/ip_conntrack

http://www.dqd.com/~mayoff/notes/linux/ip_conntrack.html

Linux iptables connection tracking configuration

http://fibrevillage.com/sysadmin/199-linux-iptables-connection-tracking-configuration