Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ To setup NOTRACK and TRACK of conntrack in iptables     - Using Lua implement various operations list (Programming)

- Install Ubuntu Software Center App Grid (Linux)

- Boost-- time and date - (1) timer library introduction (Programming)

- File encryption and decryption of Linux security mechanisms (Linux)

- Linux system firewall defense network attacks (Linux)

- GitLab upgrade to 8.2.0 (Linux)

- How to disable UEFI to install Linux on Win8 (Linux)

- Disk Management LVM (Linux)

- osprofiler use OpenStack Cinder Lane (Server)

- Ceph tuning --Journal and tcmalloc (Server)

- Linux 4.0+ kernel support for hardware switching module (HW Switch Offload) (Linux)

- Linux System Getting Started Tutorial: how to find information on Linux-embedded module (Linux)

- Struts2 dynamic call DMI and error Solution (Programming)

- MySQL enabled SSD storage (Database)

- Start Linux ISO image directly from the hard disk (Linux)

- Linux Learning --- disk partition / relational representation + mount (Linux)

- WebLogic 12c Configuration Node Manager Managed Server (Database)

- SecureCRT session buffer size settings (Linux)

- Linux System Getting Started Learning: compile and install ixgbe driver in Ubuntu or Debian (Linux)

- Iptables in Ubuntu (Linux)

 
         
  To setup NOTRACK and TRACK of conntrack in iptables
     
  Add Date : 2017-04-13      
         
       
         
  Iptables itself is not TRACK target, so you do not need to be specified whitelist conntrack packet processing module, for example, I want to achieve: In addition to the source IP is required 192.168.10.0/16 segment is outside the track, others are not track .

Of course, you can achieve my needs through the following configuration:

iptables -t raw -A PREROUTING! -s 192.168.10.0/16 -j NOTRACK

... Reverse NOTRACK Similarly, -s -d change

If a little more complicated it? For example, in addition to the source IP restrictions, as well as protocol and port.

Familiar with the access control list design know, ACL "and" operation can be implemented in a single rule, and "or" action by a number of rules to achieve, and therefore used in the above-mentioned casually sophisticated needs, all you can do, even aside "single and / or multiple" principle, just to be a good expansion ipset out any complex configuration rules to meet the needs of any complexity.

But is there an easier way? Of course there is, and to achieve a NOTRACK opposing target, namely TRACK target can be. Its implementation is clear already attached to the skb of untracked conn. So that when I need to add track whitelist, I can do this:

iptables -t raw -A PREROUTING -j NOTRACK

iptables -t raw -A PREROUTING $ mt1 $ mt2 ... -j TRACK # single operation of matches AND

... # Plurality of matches OR operation

iptables -t raw -A PREROUTING $ mt''1 $ mt''2 ... -j TRACK

OK, it is so very simple.

However, iptables is no built-OR operation is fully in line with the concept of ACL, the concept, or if you want to achieve, you configure multiple rules, the fact that most of the authentication system is so idea. See C language of logic will find the same idea, if it is AND operation, and then one by one statement independent of the order, because in the end each statement must be calculated all over again, if it is an OR operation, and the computational efficiency on the order of about, as long as reached the "true" value, you can calculate the end, of course, or internal details and implementation-dependent. Therefore, the AND operation, because it is closed, you can include a statement go, but the OR is not closed, you do not know where the end of the calculation.
     
         
       
         
  More:      
 
- MySQL Tutorial: About checkpoint mechanism (Database)
- Upgrading to MySQL 5.7 partitioning problem solving (Database)
- Modify Linux terminal prompt path length (Linux)
- Oracle for Oracle GoldenGate to achieve a one-way synchronization DDL operations (Database)
- MySQL Tutorial: Using tpcc-mysql pressure measurement (Database)
- PLSQL Developer synchronization table tools (Database)
- PSUADE installation under Linux (Linux)
- CoreOS quick installation to get started on a PC (Linux)
- Some MySQL interview questions (Database)
- Linux port mapping system (routing and forwarding) (Server)
- HTML5 Application Cache (Programming)
- Ubuntu disable graphics card (Linux)
- Talking about the shortcomings and deficiencies of the firewall (Linux)
- To create a Linux server network security (Linux)
- Install the Solaris 10 operating system environment over the network to sparc (Linux)
- Ubuntu cut screen method (Linux)
- Oracle database, some basic grammatical structures (Database)
- RHEL 6.5 KVM analytical use (Server)
- Ubuntu 14.04 / Linux Mint 17 How to install the MintMenu 5.5.2 menu (Linux)
- Gentoo: existing preserved libs problem solving (Linux)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.