This means that iptables finds from the connection tracking table that the packet belongs to a connection that has received a response (that is, there is no field). Judging that this package is the first package of a connection is based on conntrack current "only see one direction packet" (), not associated with a specific protocol, so NEW does not refer to the SYN packet connected by tcp.ĮSTABLISHEDESTABLISHED matches the response packet of the connection and subsequent packets. This means that iptables finds from the connection tracking table that this package is the first package of a connection. NEW:NEW matches the first package of the connection. For the higher layer applications, there are few at the time, and naturally there is no need to pay too much attention to protection.Ĭonntrack stores information in the memory structure, including IP, port, protocol type, status, and timeout.Īnd conntrack can not only track the status of TCP stateful sessions, but also track the status of UDP.Ĭonntrack itself does not filter packets, but instead provides a filter based on state and relationship.Ĭonntrack defines five connection states, as follows: Of course, from the historical point of view, the packet filtering firewall is in line with the development needs at that time, and the efficiency is also higher. Stateless firewalls are not able to detect and track DoS. This paper attempts to analyze and understand the mechanism of conntrack.Īfter years of development of packet filtering firewalls based on header information (IP, ports, etc.), the demand for firewalls has gradually increased. It is the basis of a stateful firewall based on Linux system, and it is also a means for NAT to complete the conversion of related packages. In the netfilter system, the state tracking mechanism (conntrack) is an important part.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |