Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Fedora - Network address translation part 3 – the conntrack event framework

#1
Network address translation part 3 – the conntrack event framework

This is the third post in a series about network address translation (NAT). The first article introduced how to use the iptables/nftables packet tracing feature to find the source of NAT-related connectivity problems. Part 2 introduced the “conntrack” command. This part gives an introduction to the “conntrack” event framework.

Introduction


NAT configured via iptables or nftables builds on top of netfilter’s connection tracking framework. conntrack’s event facility allows real-time monitoring of incoming and outgoing flows. This event framework is useful for debugging or logging flow information, for instance with ulog and its IPFIX output plugin.

Conntrack events


Run the following command to see a real-time conntrack event log:

# conntrack -E
NEW tcp 120 SYN_SENT src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 [UNREPLIED] src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123
UPDATE tcp 60 SYN_RECV src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123
UPDATE tcp 432000 ESTABLISHED src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123 [ASSURED]
UPDATE tcp 120 FIN_WAIT src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123 [ASSURED]
UPDATE tcp 30 LAST_ACK src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123 [ASSURED]
UPDATE tcp 120 TIME_WAIT src=10.1.0.114 dst=10.7.43.52 sport=4123 dport=22 src=10.7.43.52 dst=10.1.0.114 sport=22 dport=4123 [ASSURED]

This prints a continuous stream of events:

  • new connections
  • removal of connections
  • changes in a connections state.

Hit ctrl+c to quit.

The conntrack tool offers a number of options to limit the output. For example its possible to only show DESTROY events. The NEW event is generated after the iptables/nftables rule set accepts the corresponding packet.

Conntrack expectations


Some legacy protocols require multiple connections to work, such as FTP, SIP or H.323. To make these work in NAT environments, conntrack uses “connection tracking helpers”: kernel modules that can parse the specific higher-level protocol such as ftp.

The nf_conntrack_ftp module parses the ftp command connection and extracts the TCP port number that will be used for the file transfer. The helper module then inserts a “expectation” that consists of the extracted port number and address of the ftp client. When a new data connection arrives, conntrack searches the expectation table for a match. An incoming connection that matches such an entry is flagged RELATED rather than NEW. This allows you to craft iptables and nftables rulesets that reject incoming connection requests unless they were requested by an existing connection. If the original connection is subject to NAT, the related data connection will inherit this as well. This means that helpers can expose ports on internal hosts that are otherwise unreachable from the wider internet. The next section will explain this expectation mechanism in more detail.

The expectation table


Use conntrack -L expect to list all active expectations. In most cases this table appears to be empty, even if a helper module is active. This is because expectation table entries are short-lived. Use conntrack -E expect to monitor the system for changes in the expectation table instead.

Use this to determine if a helper is working as intended or to log conntrack actions taken by the helper. Here is an example output of a file download via ftp:

 
# conntrack -E expect
NEW 300 proto=6 src=10.2.1.1 dst=10.8.4.12 sport=0 dport=46767 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=10.2.1.1 master-dst=10.8.4.12 sport=34526 dport=21 class=0 helper=ftp
DESTROY 299 proto=6 src=10.2.1.1 dst=10.8.4.12 sport=0 dport=46767 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=10.2.1.1 master-dst=10.8.4.12 sport=34526 dport=21 class=0 helper=ftp

The expectation entry describes the criteria that an incoming connection request must meet in order to recognized as a RELATED connection. In this example, the connection may come from any port, must go to port 46767 (the port the ftp server expects to receive the DATA connection request on). Futhermore the source and destination addresses must match the address of the ftp client and server.

Events also include the connection that created the expectation and the name of the protocol helper (ftp). The helper has full control over the expectation: it can request full matching (IP addresses of the incoming connection must match), it can restrict to a subnet or even allow the request to come from any address. Check the “mask-dst” and “mask-src” parameters to see what parts of the addresses need to match.

Caveats


You can configure some helpers to allow wildcard expectations. Such wildcard expectations result in requests coming from an unrelated 3rd party host to get flagged as RELATED. This can open internal servers to the wider internet (“NAT slipstreaming”).

This is the reason helper modules require explicit configuration from the nftables/iptables ruleset. See this article for more information about helpers and how to configure them. It includes a table that describes the various helpers and the types of expectations (such as wildcard forwarding) they can create. The nftables wiki has a nft ftp example.

A nftables rule like ‘ct state related ct helper “ftp”‘ matches connections that were detected as a result of an expectation created by the ftp helper.

In iptables, use “-m conntrack –ctstate RELATED -m helper –helper ftp“. Always restrict helpers to only allow communication to and from the expected server addresses. This prevents accidental exposure of other, unrelated hosts.

Summary


This article introduced the conntrack event facilty and gave examples on how to inspect the expectation table. The next part of the series will describe low-level debug knobs of conntrack.



https://www.sickgaming.net/blog/2021/03/...framework/
Reply



Possibly Related Threads…
Thread Author Replies Views Last Post
  Fedora - Using network bound disk encryption with Stratis xSicKxBot 0 14 04-07-2021, 02:52 PM
Last Post: xSicKxBot
  Fedora - Contribute at Fedora Linux 34 Upgrade, Audio, and Virtualization test days xSicKxBot 0 12 04-06-2021, 10:27 AM
Last Post: xSicKxBot
  Fedora - Fedora Council statement on Richard Stallman rejoining FSF Board xSicKxBot 0 13 04-03-2021, 11:11 AM
Last Post: xSicKxBot
  Fedora - Announcing the release of Fedora Linux 34 Beta xSicKxBot 0 26 03-24-2021, 02:28 PM
Last Post: xSicKxBot
  Fedora - Fedora Workstation 34 Feature Focus: Updated Activities Overview xSicKxBot 0 31 03-17-2021, 03:08 PM
Last Post: xSicKxBot
  Fedora - How to use Poetry to manage your Python projects on Fedora xSicKxBot 0 30 03-09-2021, 10:57 AM
Last Post: xSicKxBot
  Fedora - Getting started with COBOL development on Fedora Linux 33 xSicKxBot 0 38 02-28-2021, 01:55 PM
Last Post: xSicKxBot
  Fedora - Contribute at the Fedora Audio, Kernel 5.11 and i18n test days xSicKxBot 0 49 02-26-2021, 01:09 PM
Last Post: xSicKxBot
  Fedora - Installing Nextcloud 20 on Fedora Linux with Podman xSicKxBot 0 73 02-16-2021, 07:51 AM
Last Post: xSicKxBot
  Fedora - Network address translation part 2 – the conntrack tool xSicKxBot 0 62 02-13-2021, 12:41 PM
Last Post: xSicKxBot

Forum Jump:

[-]
Active Threads
(Indie Deal) FREE Stranded In Time | XCO...
Last Post: xSicKxBot
Today 07:54 AM
» Replies: 0
» Views: 0
Microsoft - 5 reasons to attend Azure St...
Last Post: xSicKxBot
Today 07:54 AM
» Replies: 0
» Views: 1
News - Deals: Ring Fit Adventure Is Down...
Last Post: xSicKxBot
Today 07:54 AM
» Replies: 0
» Views: 1
News - Cuphead Will Have An Awesome Deca...
Last Post: xSicKxBot
Today 07:54 AM
» Replies: 0
» Views: 2
News - Nintendo Actually Responded To A ...
Last Post: xSicKxBot
Today 01:50 AM
» Replies: 0
» Views: 6
News - Rumour: Dragon Ball Z: Kakarot Co...
Last Post: xSicKxBot
Today 01:50 AM
» Replies: 0
» Views: 6
Xbox Wire - Next Week on Xbox: April 6 t...
Last Post: xSicKxBot
Yesterday 11:48 PM
» Replies: 0
» Views: 7
News - Ubisoft hires ex-Uber HR director...
Last Post: xSicKxBot
Yesterday 11:48 PM
» Replies: 0
» Views: 13
News - Blog: An essential guide to live ...
Last Post: xSicKxBot
Yesterday 11:48 PM
» Replies: 0
» Views: 14
[Tut] Python Dash Book
Last Post: xSicKxBot
Yesterday 05:52 PM
» Replies: 0
» Views: 6

[-]
Twitter

[-]
Sponsored
Get the Deal of the Week at RefurBees.com

Copyright © SickGaming.net 2012-2020