| Back to logs list
22128020 2009 年 03 月 26 日 13:49 Reading (loading. ..) Comments (0) Category: Computer Related
4 .
state machine state mechanism described in detail in this chapter. Read this chapter, the state mechanism is how you will work to have a comprehensive understanding. We use some examples to illustrate the state mechanism. Well practice comes real knowledge.
4.1.
outlined in the state mechanism is a special part of the iptables, in fact, it should not be called the state mechanism because it is only a connection tracking mechanism. However, many people have recognized the name of the state mechanism. In this paper, I have more or or less to use this name to represent the same meaning and connection tracking. This should not cause any confusion. Netfilter connection tracking can let the state know that a specific connection. Run the firewall connection tracking mechanism called a firewall with state, hereinafter referred to as stateful firewall. Status than non-stateful firewall to firewall security, because it allows us to write more stringent rules.
in iptables, the package is tracked and connected to the four different states. They are NEW, ESTABLISHED, RELATED and INVALID. Later we will discuss in depth each state. Use - state matching operation, we can easily control the
all kernel-specific frameworks from the Netfilter connection tracking called conntrack (Translator's Note: is the connection tracking acronym.) conntrack can be installed as a module, or as part of the core. In most cases, we want to, but also more detailed connection tracking, which is compared in terms of the default conntrack. Because of this, conntrack, there are many to handle TCP, UDP or ICMP protocol components. These modules extracted from the data package in detail, the only information, so they can keep track of each data stream. This information also informs the current state of conntrack flow. For example, UDP streams generally by their destination address, source address,
tory burch sandals, destination port and source port is uniquely determined.
in previous kernels, we can open or close the reorganization function. However, since iptables and Netfilter, especially the kernel connection tracking is introduced, this option was canceled. Because there is no restructuring package, connection tracking will not work. Has now re-integrated into the conntrack, and in the conntrack start automatically. Do not close the reorganization of functions, unless you want to close the connection tracking.
addition to locally generated packets handled by the OUTPUT chain, all the connection tracking is handled in the PREROUTING chain, meaning that, iptables PREROUTING chain in the calculation of all the new state. If we send the initial packet of a stream,
tory burch sale, the state will be in the OUTPUT chain is set to NEW, when we receive the response packet, the state will be set in the PREROUTING chain to ESTABLISHED. If the first packet is not locally generated, it will be in the PREROUTING chain is set to NEW condition. In summary, all state changes and calculations are in nat table PREROUTING chain and OUTPUT chain completed.
4.2. conntrack record
us first look at how to read / proc / net / ip_conntrack in the conntrack record. These records that are currently being tracked connections. If you installed the ip_conntrack module, cat / proc / net / ip_conntrack display similar to:
tcp 6 117 SYN_SENT src = 192.168.1.6 dst = 192.168.1.9 sport = 32775
dport = 22 [UNREPLIED] src = 192.168. 1.9 dst = 192.168.1.6 sport = 22
dport = 32775 use = 2
conntrack module maintains all the information contained in this example, and through them to know at what a particular state of the connection. First shown is the protocol, here is tcp, followed by decimal 6 (Translator's Note: tcp protocol type code 6). After conntrack record 117 is the survival of this time, it will be consumed regularly, until it receives more packets in this connection. At that time, this value will be set to the default value of that state at that time. The following is the connection status of the current point in time. The above example illustrates the package in state SYN_SENT, this value is displayed iptables so that we better understand the value of the internal use is slightly different. SYN_SENT that we are looking at the connection in only one direction to send a TCP SYN packet. Then the following is the source address, destination address, source port and destination port. Which have a special word UNREPLIED, that the connection has not received any response. Finally, you want to receive the response packet of information, their address and port and in front of the opposite.
connection tracking records contained information based on IP protocols vary, all the corresponding values are linux/include/netfilter- ipv4/ip_conntrack *. h header files are defined. IP, TCP, UDP, ICMP protocol is the default value defined in the linux/include/netfilter- ipv4/ip_conntrack.h. Specific value can view the agreement, but less than they are here because they are great for internal use only in the conntrack. With the change of state, the survival time will change.
Note
recent patch-o-matic there is a new patch, you can put out the above-mentioned time as a system variable, so that we can idle in the system change their values. Later, we do not have to change these values and re-compiled kernel.
these can / proc/sys/net/ipv4/netfilter under some special system calls to change. A closer look / proc/sys/net/ipv4/netfilter/ip_ct_ * variables in it.
When a connection in both directions are transmitted, conntrack records to delete [UNREPLIED] flag, and then reset. In the end there [ASSURED] records that have no traffic in both directions. This record is determined, in the connection tracking table is full, will not be deleted, and no [ASSURED] the record will be deleted. Connection tracking table can hold a variable number of records are to be controlled, it may be the kernel of the ip-sysctl functions in the set. The default value depends on the size of your memory, 128MB can contain a 8192 catalog, 256MB is 16376. You can also / proc/sys/net/ipv4/ip_conntrack_max in view, setting.
4.3. data packets in user space of the state
as said earlier, the package contained in the state based on IP protocols vary, but in the outer core, which is the user space, only 4 states: NEW, ESTABLISHED, RELATED and INVALID. They are mainly used and the state match. The following briefly describes the following for these types of states:
Table 4-1. Data packets in user space of the state
State (state) Explanation (annotation)
NEW NEW Description This package is what we see the first packet. Means this is a connection conntrack module sees the first packet, it will be matched. For example, we see a SYN packet is the connection we note that the first packet, we must match it. The first packet is not SYN packet may also be, but it will still be considered a NEW state. This sometimes leads to some problems, but some cases there is a very big help. For example, in an article we want to restore the firewall from the other connection is lost, or when a connection has timed out, but not actually closed.
ESTABLISHED ESTABLISHED have noticed that the data transmission in both directions, and will continue to match the connection of the package. Connections in ESTABLISHED state is very easy to understand. As long as the sending and receiving the response of the connection is ESTABLISHED. Becomes a connection from the NEW ESTABLISHED, you can only reply packet received, whether the packet is sent to the firewall, or to be forwarded by the firewall. ICMP errors and redirection packet was also seen as ESTABLISHED, as long as they are our response message.
RELATED RELATED state is too much trouble. When a connection and a connection is already in a relationship ESTABLISHED state, it is considered RELATED to the. In other words, a connection is RELATED order to, first of all have a connection ESTABLISHED. The ESTABLISHED connection and then create a connection outside of the main connection, the new connection is RELATED to, of course, provided that the conntrack module is able to understand RELATED. ftp is a good example, FTP-data connection is RELATED and the FTP-control has the. There are other examples, for example, through IRC's DCC connection. With this status, ICMP responses, FTP transfer, DCC, etc. to work through the firewall. Note that most of the UDP protocol and some rely on this mechanism. These agreements are very complex, they put the data connection information on the bag, and asked that information be properly understood.
INVALID INVALID packets that belong to which connection can not be identified or no state. There are several reasons for this situation can, for example, memory overflow, I do not know is which connections receive ICMP error message. In general, we DROP everything in this state.
these states can be used together in order to match the packet. This can make our firewall is very strong and effective. Previously, we often open all ports above 1024 to release the response data. Now, with the state system, you do not do that anymore. Because we can only open those answering data port, the other can be closed. So much safer.
4.4. TCP connection
this section and the following sections, we discuss these states in detail, as well as TCP, UDP and ICMP protocol in three basic how to operate them. Of course, will also discuss other agreement. We start from the TCP, because it itself is an agreement with the state and the state has many mechanisms on the iptables for more information.
a TCP connection is the result of three-way handshake before the connection information in consultation set up. The session started by a SYN packet, then a SYN / ACK packet, and finally a ACK packet, this time, the session was established successfully, the ability to send data. The biggest problem is how to control the process connection tracking. In fact very simple.
default, the connection tracking is basically the type of connection to all do the same operation. Look at the picture below, we can understand the different stages of the connection, the flow is in what state. As you can see, the connection tracking code is not from the user's point of view to look at TCP connection establishment process. SYN packet connection tracking saw to that this connection is the NEW state, saw the return of the SYN / ACK packet to that connection is ESTABLISHED state. If you think about the second step,
tory burch bags, should be able to understand why. With this special treatment, NEW and ESTABLISHED packets to send out the local network, and only ESTABLISHED connections in order to have feedback information. If the whole process of establishing a connection to transmit the data packets are considered as NEW, then the three-way handshake is used for NEW status of the package, so that we can not be blocked from the outside to the local network connections. Because even if the connection from the outside, but it is also the NEW state to use the package, and for other connections to the normal transmission, we must not allow NEW packets back and enter the state of the firewall. More complex is the kernel for TCP connections use a lot of internal state, which is defined in RFC 793 - Transmission Control Protocol's 21-23. But fortunately we have not used in user space. Later we will detail the content.
As you see, to the user's point of view,
The eyes of my brother, my sister is the most sacr, this is very simple. However, from the perspective of the kernel that a little bit difficult. We look at an example. Serious consideration in the / proc / net / ip_conntrack, the connection state is how to change.
tcp 6 117 SYN_SENT src = 192.168.1.5 dst = 192.168.1.35 sport = 1031
dport = 23 [UNREPLIED] src = 192.168.1.35 dst = 192.168.1.5 sport = 23
dport = 1031 use = 1
can be seen from the above records, SYN_SENT state is set, indicating that the connection has been sent a SYN packet, but the response has not sent over, which is available from [UNREPLIED] sign to see.
tcp 6 57 SYN_RECV src = 192.168.1.5 dst = 192.168.1.35 sport = 1031
dport = 23 src = 192.168.1.35 dst = 192.168.1.5 sport = 23 dport = 1031
use = 1
Now that we have received a corresponding SYN / ACK packet, the state has become SYN_RECV, indicating the initial SYN packet sent has been transmitted correctly, and the SYN / ACK packet has reached the firewall. This means that the connection has a data transfer of the two sides, so that both directions has a corresponding response. Of course, this is hypothetical.
tcp 6 431999 ESTABLISHED src = 192.168.1.5 dst = 192.168.1.35
sport = 1031 dport = 23 src = 192.168.1.35 dst = 192.168.1.5
sport = 23 dport = 1031 use = 1
Now, we issued a three-step handshake of the last packet, the ACK packet, the connection will enter the ESTABLISHED state. Several packets and then transmitted, the connection is the [ASSURED] of the.
Here TCP connection during shutdown state.
shown above, the issue before the final ACK packet, the connection (refer to the two directions) is not closed. Note that this is only for the general situation. Connection can also be sent off, this could be used when a connection refused. After the RST packets to go through pre-set period of time, the connection can be broken.
connection closed, into the TIME_WAIT state, the default time is 2 minutes. The reason to stay this time is to enable the data packet to complete the inspection by the rules, but also to data packets through the congested routers, and thus reach their destination.
RST packets if the connection is reset to CLOSE directly into the. This means that only 10 seconds before closing the default time. RST packet is not recognized, it will close the connection directly. For TCP connections, there are other states we have not talked about. The following list shows the status of a complete and time-out value.
Table 4-2. internal state
State Timeout value
NONE 30 minutes
ESTABLISHED 5 days
SYN_SENT 2 minutes
SYN_RECV 60 seconds
FIN_WAIT 2 minutes
TIME_WAIT 2 minutes
CLOSE 10 seconds
CLOSE_WAIT 12 hours
LAST_ACK 30 seconds
LISTEN> 2 minutes
these values are not absolute and can change with the amendments to the kernel, you can also / proc / sys/net/ipv4/netfilter/ip_ct_tcp_ * variables change. These default values are proven. Their unit is jiffies (hundredths of a second), so 3000 represents 30 seconds.
Note
attention to the state mechanism in the user space part of the TCP packet will not see the flag (TCP flags that it is transparent.) If we want NEW state packets through the firewall, we must specify the NEW state, we understand the meaning of the state means NEW SYN packets, but iptables not see these flags. This is the problem. Some do not set SYN or ACK packets, will be seen as NEW condition. This package may be redundant firewall used, but only one firewall on the network is very negative (which may be attacked oh). How can that this package is not affected? You can use the NEW state does not set the SYN command bag. Another way is to install patch-o-matic in the tcp-window-tracking extension, it can make some of the firewall according to TCP flags for status tracking.
4.5. UDP connections
UDP connections are stateless because it does not have any connection establishment and closure process, and most is no serial number. Received an order to two packets can not be sure they sent the order. But the kernel can still set the state of UDP connections. We take a look at is how to track UDP connections and related conntrack record.
can be seen from the previous to the user's point of view, UDP and TCP connection establishment is almost the same. Although the conntrack information looks a bit different, but essentially the same. Let us first look at the first UDP packet sent after the conntrack record.
udp 17 20 src = 192.168.1.2 dst = 192.168.1.5 sport = 137 dport = 1025
[UNREPLIED] src = 192.168.1.5 dst = 192.168.1.2 sport = 1025
dport = 137 use = 1
previous two values we can see, this is a UDP packet. The first is the protocol name, the second is protocol number, and the third is the survival time in this state, the default is 30 seconds. Next is the package source, target address and port, as well as expected among the response packet source, target address and port. [UNREPLIED] tag that has not receive a response.
udp 17 170 src = 192.168.1.2 dst = 192.168.1.5 sport = 137
dport = 1025 src = 192.168.1.5 dst = 192.168.1.2 sport = 1025
dport = 137 use = 1
Upon receipt of the first packet of the response, [UNREPLIED] tag will be deleted, the connection is considered to be ESTABLISHED, but the record does not show in the ESTABLISHED tag. Accordingly, the state changed the timeout time was 180 seconds. In this case, only 170 seconds, and 10 seconds, will be reduced to 160 seconds. One thing is essential, although it may be some changes, that is mentioned earlier in the [ASSURED]. To become [ASSURED] state, the connection must be some traffic again.
udp 17 175 src = 192.168.1.5 dst = 195.22.79.2 sport = 1025
dport = 53 src = 195.22.79.2 dst = 192.168.1.5 sport = 53
dport = 1025 [ASSURED] use = 1
can see, [ASSURED] in front of the state's records and not much different, in addition to marking the [UNREPLIED] become [ASSURED]. If the connection can not continue to 180 seconds, it would have to be interrupted. 180 seconds is a bit short, but sufficient for most applications. As long as the package experience this connection through the firewall, the timeout value will be reset to the default value, all states are like this.
4.6. ICMP connection
ICMP is a stateless protocol, it is only used to control rather than establish a connection. There are many types of ICMP packets, but only four types of response packets, which are echo requests and responses (Echo request and reply), timestamp request and reply (Timestamp request and reply), information requests and responses (Information request and reply ), and address mask request and reply (Address mask request and reply), these packages have two states, NEW and ESTABLISHED. Timestamp request and information request had not been abolished, or the commonly used echo requests, such as the ping command is used to, the address mask request is not common, but may sometimes be useful and worth using. Consider the following chart to get an overview of the NEW and ESTABLISHED ICMP connection state of the.
As shown, the host sends an echo to the target request, the firewall that this package is in NEW condition. Objective response to an echo response, the firewall that the packet is ESTABLISHED on the. When the echo request is sent, ip_conntrack where there is such a record:
icmp 1 25 src = 192.168.1.6 dst = 192.168.1.10 type = 8 code = 0
id = 33029 [UNREPLIED] src = 192.168.1.10 dst = 192.168.1.6
type = 0 code = 0 id = 33029 use = 1
can see,
过年 - Qzone日记, ICMP records and TCP, UDP's a bit different from the protocol name, the timeout and the source, present address are the same, the difference is not a port, and added three new fields: type, code and id. ICMP type shows the type of field. ICMP code description of the code, the code in the appendix ICMP types, there are instructions. id is the ICMP packet ID. Each ICMP packet is sent is assigned a ID, the receiving party to the same ID assigned to the response packet, which recognize that the request sender response.
[UNREPLIED] meaning as before, indicating the number of transmission occurs only in one direction, that is not received response. Later on, a reply packet's source, target address, as well as the corresponding three new fields, should be noted that, with the response type and code changes in different packages, id, and the same request packet.
As before, the reply packet is considered ESTABLISHED's. However, after the response packet, the ICMP data connection is no longer transmitted. Therefore, once the response packet through the firewall, ICMP connection track record to be destroyed.
of the above circumstances, the request is considered NEW, response is ESTABLISHED. In other words, when the firewall to see a request packet to that connection in the NEW state, response time when there is ESTABLISHED state.
Note
attention, response package must meet certain criteria, the connection can be considered as established, each transfer type is the case.
ICMP default timeout is 30 seconds, you can / proc/sys/net/ipv4/netfilter/ip_ct_icmp_timeout modify. This value is more appropriate, suitable for most situations.
ICMP is another very important role is to tell the UDP, TCP connection or the connection is trying to establish what happened,
大海 - Qzone日记, when the ICMP reply is considered to be RELATED to. Host unreachable and the network is not up to is one such example. When trying to connect to a machine when the machine is not successful (perhaps that these machines are shut), the last data packet arrives, a router will return ICMP above information, they are RELATED, the following chart:
we send a SYN packet to a particular address, the firewall that its status is NEW. However, problems do not reach the target network, the router will return the network does not reach the information, which is RELATED to. Connection tracking recognize this error message which connection, the connection will be interrupted, while the corresponding record to delete will be deleted.
encounter problems when the UDP connection, the same would be the appropriate ICMP message back, of course, is their state RELATED,
tory burch shoes, as shown below:
we send a UDP packet, of course, it NEW for. However, the target network is prohibited by some firewall or router. Our network firewall is disabled will receive the information. Firewall know that it is and which have opened UDP connection related, and this information (state RELATED) issued to it, while the corresponding records deleted. The client receives the information network is prohibited, the connection will be interrupted.
4.7. default connection operation
sometimes, conntrack mechanism does not know how to handle a particular protocol, especially in that it did not understand the agreement or agreements do not know how to work,
tory burch 2011, for example, NETBLT, MUX also There EGP. In this case, conntrack use the default operation. This operation is like operating on the UDP connection is considered as the first packet is NEW, then the response packet, and so the data are ESTABLISHED.
packet operation using the default timeout value is the same, 600 seconds, which is 10 minutes. Of course, this value can be / proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout change to adapt to your traffic, especially in the time-consuming, a huge flow of cases, such as the use of satellites.
4.8. complicated protocols and protocol connection tracking
some more complex than other protocols, this means that the complex connection tracking mechanism is difficult to track them properly, for example, ICQ, IRC, and FTP, they are in the packet data domain carrying some information, such information is used to create additional connections. Therefore, some special helper to complete the work.
below to FTP as an example. FTP protocol first establish a separate connection - FTP control session. We issued an order through this connection, the other will open the port for transmission of data associated with this command. The establishment of these connections in two ways: active mode and passive mode. Look at the active mode, FTP client sends the port and IP address information to the server side, then the client opens the port, the server from its own port 20 (FTP-Data port number) to establish a connection to this port, and then you can use this connection to send data.
problem is that the firewall does not know these extra connections (in terms of relative to the control session), because these connections when the consultation in the establishment of information data packets in the agreement area, rather than the protocol can be analyzed in the head. Therefore, the firewall does not know whether the release of these from the server to the client's connection clearance.
The solution is to increase the connection tracking module is a special helper, so that information can be detected. Thus, those from the FTP server to the client connection can be tracked, the state is RELATED, the process as shown below:
passive FTP mode of work, data connections and active FTP process of establishing the contrary. The client tells the server that needs some data, put the server address and port back to the client, the client connection is established pursuant to accept data. If the FTP server behind a firewall, or your more stringent restrictions on the user, only allowing them access to HTTP and FTP, while all other ports closed, to allow the client to the Internet is access to FTP, also need to increase the above-mentioned helper. The following is a passive mode data connection establishment process:
Some conntrack helper has been included in the kernel, in the time of this writing, FTP and IRC has been a corresponding conntrack helper. If the kernel is not what you want helper, can go to the iptables user space patch-o-matic directory to see, where there are a lot of helper, such as the H.323 protocol for ntalk or so. If not found, there are several options: you can look up iptables to CVS, or contact the Netfilter-devel and ask if there you are. Does not work if only you write, I can introduce you to a good article, Rusty Russell's Unreliable Netfilter Hacking HOW-TO, connected on the appendix and links to other resources.
Conntrack helper that can be statically compiled into the kernel, or as a module, but use the following command to mount:
modprobe ip_conntrack_ *
note that connection tracking does not deal with NAT, so to do NAT on the connection need to increase the appropriate module. For example, you want to NAT and track FTP connections, FTP in addition to the corresponding module, but also a NAT module. Names of all the NAT helper is to ip_nat_ beginning, this is a naming convention: FTP NAT helper called ip_nat_ftp, IRC's corresponding module is ip_nat_irc. conntrack helper has to follow the same naming habits: the conntrack helper for the IRC called ip_conntrack_irc, FTP's called ip_conntrack_ftp.