Free tools for Linux system administrators to interact with Connection Tracking System are available through a set of userspace software programs.
Conntrack-tools is a set of free software userspace tools for Linux that offers users the ability to interact with the Connection Tracking System, which is the module that provides stateful packet inspection for iptables. The tools available in conntrack-tools include the userspace daemon conntrackd and the command line interface conntrack.
One of the main benefits of using conntrackd is its ability to enable high availability cluster-based stateful firewalls, while also collecting statistics on the use of stateful firewalls. The command line interface conntrack offers a more flexible interface to the connection tracking system than /proc/net/ip_conntrack, providing users with the ability to add, delete, and update flow entries, list current active flows in plain text/XML, current IPv4 NAT'ed flows, reset counters atomically, flush the connection tracking table, and monitor connection tracking events, among others.
For those looking for an alternative to OpenBSD's pfsync, conntrackd provides an equivalent solution that allows for the synchronization of states among several replica firewalls, making it possible to deploy failover setups with stateful Linux firewalls. Additionally, conntrackd can be used to collect statistics on the use of stateful firewalls.
Using the command line tool conntrack instead of /proc/net/ip_conntrack offers several advantages, including the ability to update network flows without adding a new iptables rule, the ability to dump the connection tracking table in XML format, and the ability to monitor connection events. Furthermore, relying solely on the /proc interface to dump the connection tracking table can harm performance under very busy firewalls.
Finally, conntrack can be used to cut established TCP connections without adding an iptables rule. However, a sane stateful ruleset that blocks packets that do not match any existing entry in the Connection Tracking Table is required. Once the entry that talks about the victim TCP connection is removed, the client will experience a connection hang. Additionally, conntrack is not dependent on the layer 4 protocol, making it possible to use it for killing whatever layer 4 network flow (UDP, SCTP, ...).
One of the main benefits of using conntrackd is its ability to enable high availability cluster-based stateful firewalls, while also collecting statistics on the use of stateful firewalls. The command line interface conntrack offers a more flexible interface to the connection tracking system than /proc/net/ip_conntrack, providing users with the ability to add, delete, and update flow entries, list current active flows in plain text/XML, current IPv4 NAT'ed flows, reset counters atomically, flush the connection tracking table, and monitor connection tracking events, among others.
For those looking for an alternative to OpenBSD's pfsync, conntrackd provides an equivalent solution that allows for the synchronization of states among several replica firewalls, making it possible to deploy failover setups with stateful Linux firewalls. Additionally, conntrackd can be used to collect statistics on the use of stateful firewalls.
Using the command line tool conntrack instead of /proc/net/ip_conntrack offers several advantages, including the ability to update network flows without adding a new iptables rule, the ability to dump the connection tracking table in XML format, and the ability to monitor connection events. Furthermore, relying solely on the /proc interface to dump the connection tracking table can harm performance under very busy firewalls.
Finally, conntrack can be used to cut established TCP connections without adding an iptables rule. However, a sane stateful ruleset that blocks packets that do not match any existing entry in the Connection Tracking Table is required. Once the entry that talks about the victim TCP connection is removed, the client will experience a connection hang. Additionally, conntrack is not dependent on the layer 4 protocol, making it possible to use it for killing whatever layer 4 network flow (UDP, SCTP, ...).
What's New
Version 0.9.11: N/A