conntrack

目录

conntrack#

Concept#

连接跟踪（conntrack）：原理、应用及 Linux 内核实现 @ arthurchiao.art/blog, English ver

http://43.129.181.206/share/linux2.6-kernel-summary.pdf Download Linux2.6 内核总结（庞宇） .

Monitoring & Troubleshooting#

https://conntrack-tools.netfilter.org/manual.html

https://fedoramagazine.org/network-address-translation-part-4-conntrack-troubleshooting/

https://fedoramagazine.org/network-address-translation-part-2-the-conntrack-tool/

Oracle Linux: IPTABLES conntrack Table Gets Stuck with an Entry in SYN_SENT State

real-time conntrack event log#

https://fedoramagazine.org/conntrack-event-framework/

# conntrack -E
NEW tcp     120 SYN_SENT src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 [UNREPLIED] src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123
UPDATE tcp      60 SYN_RECV src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123
UPDATE tcp  432000 ESTABLISHED src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123 [ASSURED]
UPDATE tcp     120 FIN_WAIT src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123 [ASSURED]
UPDATE tcp      30 LAST_ACK src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123 [ASSURED]
UPDATE tcp     120 TIME_WAIT src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123 [ASSURED]

Tuning#

iptables NAT random local port#

Ref.#