>这两条规则有什么区别?
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack –ctstate ESTABLISHED,RELATED -j
接受
当指定-m state或-m conntrack时,两者似乎都加载nf_conntrack模块.两个选项都会打开状态或连接跟踪.
注意:我不是在问conntrack是做什么的,我只是问它们是否相同.我已经知道conntrack模块有更多功能.
>如果上述内容相同,使用conntrackd时是否需要使用conntrack版本?
>首次匹配包含-m state –state BLA的数据包时是否打开了连接跟踪,还是所有流量的连接跟踪始终打开?
例如在FreeBSD PF下,您可以在规则上指定keepstate来跟踪状态. netfilter也不一样吗?即模块加载后是否所有流程都打开?
>可以/应该使用连接跟踪进行快速匹配,如下所示?如果没有像下面这样使用,是不是意味着防火墙会再次通过规则集寻找数据包的匹配而不是仅仅达到第一个ESTABLISHED规则? [许多例子似乎没有使用它,如果是真的]
例如假设这是某种路由器/防火墙(没有nat).
# Default DROP policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Drop invalid iptables -A FORWARD -m state --state INVALID -j DROP # Accept established,related connections iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow ssh through,track connection iptables -A FORWARD -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
>当conntrack表填满时,您的防火墙是否会开始拒绝流量,或者没有状态的规则是否仍然有效.在这种情况下我不应该使用INVALID状态DROP数据包,对吗?
见:Shoot yourself in the foot with iptables and kmod auto-loading
解决方法
The State Match
The most useful match criterion is supplied by the
state' extension,ip_conntrack’ module. This is highly recommended.
which interprets the connection-tracking analysis of the
Specifying
-m state' allows an additional–state’ option,which is
a comma-separated list of states to match (the `!’ flag indicates not
to match those states). These states are:NEW A packet which creates a new connection.
ESTABLISHED A packet which belongs to an existing connection (i.e.,a
reply packet,or outgoing packet on a connection which has seen
replies).RELATED A packet which is related to,but not part of,an existing
connection,such as an ICMP error,or (with the FTP module inserted),
a packet establishing an ftp data connection.INVALID A packet which could not be identified for some reason: this
includes running out of memory and ICMP errors which don’t correspond
to any known connection. Generally these packets should be dropped.An example of this powerful match extension would be:
# iptables -A FORWARD -i ppp0 -m state ! –state NEW -j DROP
Firewall questions about state and policy?
因此,为了回答这个问题,conntrack用于conntrack工具包并取代这方面的状态.如果您计划使用conntrack工具包,它比状态更好.
连接跟踪对于流量流是开启的,它不断尝试将流匹配到规则.
问题2的答案是,是的,使用conntrack
回答问题3,哪个案例?国家的答案在上面的定义中.
4的答案是,conntrack用于conntrack工具包和状态,因为不使用工具包.是的,你可以使用conntrack而不是使用你的例子中的状态.
