Connection tracking is done to know the state of specific connection.
Firewall that understand connection tacking and allow to implement
rule on that basis, is known as statefull firewall. Iptables can also
implement rules on tracked connection known as state, which can be
implemented through state match.
Connection tracking is done by special framework in the kernel known
as conntrack. conntarck can be internal in kernel or can be loaded as
module.
Suppose you are on linux machine and want to list packets tracked by
contrack, use following command
root# more /proc/net/ip_conntrack
.............
...............
All connection tracking is handled in the PREROUTING chain, except
locally generated packets which are handled in the OUTPUT chain.
Suppose you send a initial packet in stream it comes in OUTPUT chain
as NEW and once you receive acknowledgment of that it become to state
ESTABLISHED in PREROUTING chain.
One important thing one should keep in mind that
/proc/sys/net/ipv4/ip_conntrack_max determine how many packets will be
kept by conntrack.
Firewall that understand connection tacking and allow to implement
rule on that basis, is known as statefull firewall. Iptables can also
implement rules on tracked connection known as state, which can be
implemented through state match.
Connection tracking is done by special framework in the kernel known
as conntrack. conntarck can be internal in kernel or can be loaded as
module.
Suppose you are on linux machine and want to list packets tracked by
contrack, use following command
root# more /proc/net/ip_conntrack
.............
...............
All connection tracking is handled in the PREROUTING chain, except
locally generated packets which are handled in the OUTPUT chain.
Suppose you send a initial packet in stream it comes in OUTPUT chain
as NEW and once you receive acknowledgment of that it become to state
ESTABLISHED in PREROUTING chain.
One important thing one should keep in mind that
/proc/sys/net/ipv4/ip_conntrack_max determine how many packets will be
kept by conntrack.
