Netfilter's conntrack-tools
What are the conntrack-tools?
The conntrack-tools are a set of free software userspace tools for Linux that allow system administrators interact with the Connection Tracking System, which is the module that provides stateful packet inspection for iptables. The conntrack-tools are the userspace daemon conntrackd and the command line interface conntrack.
conntrack - command line interface for netfilter connection tracking
conntrack provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel. Using conntrack , you can dump a list of all (or a filtered selection of) currently tracked connections, delete connections from the state table, and even add new ones.
In addition, you can also monitor connection tracking events, e.g. show an event message (one line) per newly established connection.
Why use the conntrack-tools?
The userspace daemon conntrackd can be used to enable high availability of cluster-based stateful firewalls and to collect statistics of the stateful firewall use (although ulogd is the preferred option for logging). The command line interface conntrack provides a more flexible interface than the traditional /proc/net/nf_conntrack interface.
Tables
The connection tracking subsystem maintains two internal tables:
- conntrack: This is the default table. It contains a list of all currently tracked connections through the system. If you don't use connection tracking exemptions (NOTRACK iptables target), this means all connections that go through the system.
- expect: This is the table of expectations. Connection tracking expectations are the mechanism used to "expect" RELATED connections to existing ones. Expectations are generally used by "connection tracking helpers" (sometimes called application level gateways [ALGs]) for more complex protocols such as FTP, SIP, H.323.
Usage
List connection tacking or expectation table.
By default conntrack list the conntrack table
# conntrack table conntrack -L conntrack -L conntrack # expect table conntrack -L expect
More examples
# Dump the connection tracking table in /proc/net/ip_conntrack format conntrack -L # Dump the connection tracking table in /proc/net/nf_conntrack format conntrack -L -o extended #Dump the connection tracking table in XML conntrack -L -o xml # Only dump IPv6 connections in /proc/net/nf_conntrack format conntrack -L -f ipv6 -o extended #Dump source NAT connections conntrack -L --src-nat #Show connection events together with the timestamp conntrack -E -o timestamp
Natively filter the output without using grep
conntrack -L -p tcp --dport 22 tcp 6 431999 ESTABLISHED src=10.187.39.84 dst=10.187.38.118 sport=37047 dport=22 src=10.187.38.118 dst=10.187.39.84 sport=22 dport=37047 [ASSURED] mark=0 use=1 conntrack v1.2.1 (conntrack-tools): 1 flow entries have been shown.
Display the connection tracking events
# conntrack -E [NEW] udp 17 30 src=10.187.38.118 dst=10.187.64.12 sport=52514 dport=53 [UNREPLIED] src=10.187.64.12 dst=10.187.38.118 sport=53 dport=52514 [UPDATE] udp 17 30 src=10.187.38.118 dst=10.187.64.12 sport=52514 dport=53 src=10.187.64.12 dst=10.187.38.118 sport=53 dport=52514 [UPDATE] udp 17 180 src=10.187.38.118 dst=10.187.64.12 sport=52514 dport=53 src=10.187.64.12 dst=10.187.38.118 sport=53 dport=52514 [ASSURED]
You can also display the existing flows in XML format, filter the output based on the NAT handling applied, etc.
Reference
http://conntrack-tools.netfilter.org/