启用 conntrack
启用 conntrack(如果使用 iptables 用到了 conntrack 相关的模块,则会自动加载该内核模块):
# modprobe nf_conntrack_ipv4
查看连接信息
# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 431999 ESTABLISHED src=10.0.2.2 dst=10.0.2.15 sport=58994 dport=22 src=10.0.2.15 dst=10.0.2.2 sport=22 dport=58994 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
ipv4 2 tcp 6 431938 ESTABLISHED src=10.0.2.2 dst=10.0.2.15 sport=43708 dport=22 src=10.0.2.15 dst=10.0.2.2 sport=22 dport=43708 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
# conntrack -L
tcp 6 431999 ESTABLISHED src=10.0.2.2 dst=10.0.2.15 sport=58994 dport=22 src=10.0.2.15 dst=10.0.2.2 sport=22 dport=58994 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp 6 431882 ESTABLISHED src=10.0.2.2 dst=10.0.2.15 sport=43708 dport=22 src=10.0.2.15 dst=10.0.2.2 sport=22 dport=43708 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
conntrack v1.4.4 (conntrack-tools): 3 flow entries have been shown.
设置超时参数
conntrack 中的连接超时参数可以通过 /proc/sys/net/netfilter/
下的 nf_conntrack_*_timeout_*
系统选项进行配置,也可以使用 nfct
命令创建定时策略:
# nfct default-get timeout inet tcp
.l3proto = 2,
.l4proto = 6,
.policy = {
.SYN_SENT = 120,
.SYN_RECV = 60,
.ESTABLISHED = 432000,
.FIN_WAIT = 120,
.CLOSE_WAIT = 60,
.LAST_ACK = 30,
.TIME_WAIT = 120,
.CLOSE = 10,
.SYN_SENT2 = 120,
.RETRANS = 300,
.UNACKNOWLEDGED = 300,
},
};
# nfct default-get timeout inet udp
.l3proto = 2,
.l4proto = 17,
.policy = {
.UNREPLIED = 30,
.REPLIED = 180,
},
};
# nfct default-get timeout inet icmp
.l3proto = 2,
.l4proto = 1,
.policy = {
.TIMEOUT = 30,
},
};
然后应用到 iptables CT 目标上进行更精细的连接超时控制:
# nfct add timeout udp-policy1 inet udp REPLIED 300
# nfct list timeout
.udp-policy1 = {
.l3proto = 2,
.l4proto = 17,
.policy = {
.UNREPLIED = 30,
.REPLIED = 300,
},
};
# iptables -t raw -A PREROUTING -p udp -m udp -j CT --timeout udp-policy1
# iptables -t raw -S
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -p udp -m udp -j CT --timeout udp-policy1
观察网络连接
新建 UDP 连接(以 UDP 为例),并进行数据交互:
// server
# nc -v -u -l 192.168.34.11 8888
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on 192.168.34.11:8888
Ncat: Connection from 192.168.34.12.
hello, from client
hello, from server
hello, from client
// client
# nc -v -u 192.168.34.11 8888
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.34.11:8888.
hello, from client
hello, from server
hello, from client
查看连接信息:
// on server node
# conntrack -L -p udp
udp 17 13 src=192.168.34.12 dst=192.168.34.11 sport=46067 dport=8888 [UNREPLIED] src=192.168.34.11 dst=192.168.34.12 sport=8888 dport=46067 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
conntrack v1.4.4 (conntrack-tools): 1 flow entries have been shown.
# conntrack -L -p udp
udp 17 27 src=192.168.34.12 dst=192.168.34.11 sport=46067 dport=8888 src=192.168.34.11 dst=192.168.34.12 sport=8888 dport=46067 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
conntrack v1.4.4 (conntrack-tools): 1 flow entries have been shown.
# conntrack -L -p udp
udp 17 297 src=192.168.34.12 dst=192.168.34.11 sport=46067 dport=8888 src=192.168.34.11 dst=192.168.34.12 sport=8888 dport=46067 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
conntrack v1.4.4 (conntrack-tools): 1 flow entries have been shown.
参考资料
nfct README
https://git.netfilter.org/conntrack-tools/tree/README.nfct
kernel documentation of nf_conntrack sysctl
https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
details of /proc/net/ip_conntrack / nf_conntrack
https://stackoverflow.com/questions/16034698/details-of-proc-net-ip-conntrack-nf-conntrack
Format of /proc/net/ip_conntrack
http://www.dqd.com/~mayoff/notes/linux/ip_conntrack.html
Linux iptables connection tracking configuration
http://fibrevillage.com/sysadmin/199-linux-iptables-connection-tracking-configuration
最后修改于 2020-01-04