Terry : Netfilter conntrack-tools

This page last changed on Jul 02, 2013 by terry.

Netfilter's conntrack-tools

What are the conntrack-tools?

The conntrack-tools are a set of free software userspace tools for Linux that allow system administrators interact with the Connection Tracking System, which is the module that provides stateful packet inspection for iptables. The conntrack-tools are the userspace daemon conntrackd and the command line interface conntrack.

conntrack - command line interface for netfilter connection tracking  

conntrack provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel. Using conntrack , you can dump a list of all (or a filtered selection of) currently tracked connections, delete connections from the state table, and even add new ones.

In addition, you can also monitor connection tracking events, e.g. show an event message (one line) per newly established connection.

Icon

/proc/net/ip_conntrack is deprecated!

Why use the conntrack-tools?

The userspace daemon conntrackd can be used to enable high availability of cluster-based stateful firewalls and to collect statistics of the stateful firewall use (although ulogd is the preferred option for logging). The command line interface conntrack provides a more flexible interface than the traditional /proc/net/nf_conntrack interface.

Tables

The connection tracking subsystem maintains two internal tables:

  •  conntrackThis is the default table. It contains a list of all currently tracked connections through the system. If you don't use connection tracking exemptions (NOTRACK iptables target), this means all connections that go through the system.
  • expectThis is the table of expectations. Connection tracking expectations are the mechanism used to "expect" RELATED connections to existing ones. Expectations are generally used by "connection tracking helpers" (sometimes called application level gateways [ALGs]) for more complex protocols such as FTP, SIP, H.323.

Usage

List connection tacking or expectation table.

By default conntrack list the conntrack table

# conntrack table
conntrack -L
conntrack -L conntrack
 
# expect table
conntrack -L expect

More examples

# Dump the connection tracking table in /proc/net/ip_conntrack format
conntrack -L
# Dump the connection tracking table in /proc/net/nf_conntrack format
conntrack -L -o extended
#Dump the connection tracking table in XML
conntrack -L -o xml
# Only dump IPv6 connections in /proc/net/nf_conntrack format
conntrack -L -f ipv6 -o extended
#Dump source NAT connections
conntrack -L --src-nat
#Show connection events together with the timestamp
conntrack -E -o timestamp

Natively filter the output without using grep

conntrack -L -p tcp --dport 22
tcp      6 431999 ESTABLISHED src=10.187.39.84 dst=10.187.38.118 sport=37047 dport=22 src=10.187.38.118 dst=10.187.39.84 sport=22 dport=37047 [ASSURED] mark=0 use=1
conntrack v1.2.1 (conntrack-tools): 1 flow entries have been shown.

Display the connection tracking events

# conntrack -E
    [NEW] udp      17 30 src=10.187.38.118 dst=10.187.64.12 sport=52514 dport=53 [UNREPLIED] src=10.187.64.12 dst=10.187.38.118 sport=53 dport=52514
 [UPDATE] udp      17 30 src=10.187.38.118 dst=10.187.64.12 sport=52514 dport=53 src=10.187.64.12 dst=10.187.38.118 sport=53 dport=52514
 [UPDATE] udp      17 180 src=10.187.38.118 dst=10.187.64.12 sport=52514 dport=53 src=10.187.64.12 dst=10.187.38.118 sport=53 dport=52514 [ASSURED]

You can also display the existing flows in XML format, filter the output based on the NAT handling applied, etc.

Reference

http://conntrack-tools.netfilter.org/

Documentation

The conntrack-tools user manual

conntrack manpage