Iptables State Module

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

External

Internal

Overview

A rule can evaluate the state of that connection. The state module is able to examine the state of a packet relative to the whole stream of packets and determine if the packet is part of a NEW, ESTABLISHED or RELATED connection. Without connection tracking, we would have to open up all ports above 1024 to let all traffic back into the network; with connection tracking, we can now just open the firewall for return traffic, coming as response to traffic initiated by our machine.

How State Machine/Connection Tracking Works

The connection tracking is done by a kernel framework called conntrack. Defragmentation is incorporated into conntrack and carried out automatically, as long as conntrack is turned on. All state changes and calculations are done within the PREROUTING and OUTPUT chains of the "nat" table.

Due to the connection tracking mechanism, iptables is stateful, in that it can apply firewall rules based on the current state of network traffic: rules can exist that depend upon the amount of traffic received on a specific port, for instance, rather than simply blocking or opening that port across the board.

Connection States

NEW

NEW refers to incoming packets that are the first packet for an incoming connection that was not initiated by the host system. An example is the SYN packet in a TCP connection. However the packet may as well not be a SYN packet, and still be considered NEW.

ESTABLISHED

An ESTABLISHED connection is a connection the firewall knows about and it's tracking. The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. The only requirement to get into an ESTABLISHED state is that one host sends a packet, and that it later on gets a reply from the other host. ICMP reply messages can also be considered as ESTABLISHED, if we created a packet that in turn generated the reply ICMP message.

RELATED

A connection is considered RELATED when it is related to another already ESTABLISHED connection. For a connection to be considered as RELATED, we must first have a connection that is considered ESTABLISHED. The ESTABLISHED connection will then spawn a connection outside of the main connection. The newly spawned connection will then be considered RELATED, if the conntrack module is able to understand that it is RELATED. An example is the FTP-data connections that are considered RELATED to the FTP control port.

Most TCP protocols and some UDP protocols that rely on this mechanism are quite complex and send connection information within the payload of the TCP or UDP data segments, and hence require special helper modules to be correctly understood.

INVALID

The INVALID state means that the packet can't be identified or that it does not have any state. This may be due to several reasons, such as the system running out of memory or ICMP error messages that do not respond to any known connections. Generally, it is a good idea to DROP everything in this state.

UNTRACKED

if a packet is marked within the raw table with the NOTRACK target, then that packet will show up as UNTRACKED in the state machine.

TCP

For TCP, once iptables has seen the SYN packet, it considers the connection as NEW. Once it sees the return packet (SYN/ACK) it considers the session as ESTABLISHED.

UDP

UDP connections are stateless. Receiving two UDP datagrams in a specific order does not say anything about the order in which they were sent. However, iptables can track "udp connections". More details: http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#UDPCHARACTERISTICS.

Information about Tracked Connections

The actively tracked connections can be read in:

/proc/net/ip_conntrack

This file gives a list of all current entries in the conntrack database.