本文主要是介绍iptables(7)扩展模块state,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
简介
前面文章我们已经介绍了一些扩展模块,如iprange、string、time、connlimit、limit,还有扩展匹配条件如--tcp-flags、icmp。这篇文章我们介绍state扩展模块
state
在 iptables 的上下文中,--state 选项并不是直接关联于一个扩展模块,而是与 iptables 的 state 匹配机制相关,特别是在处理 ICMP(Internet Control Message Protocol)或 TCP(Transmission Control Protocol)和 UDP(User Datagram Protocol)流量的时候。
state模块的报文可以分为5种状态,报文状态可以为NEW、ESTABLISHED、RELATED、INVALID、UNTRACKED。
NEW:连接中的第一个包,状态就是NEW,我们可以理解为新连接的第一个包的状态为NEW。The NEW state tells us that the packet is the first packet that we see. This means
that the first packet that the conntrack module sees, within a specific connection, will
be matched. For example, if we see a SYN packet and it is the first packet in a
connection that we see, it will match. However, the packet may as well not be a SYN
packet and still be considered NEW. This may lead to certain problems in some instances,but it may also be extremely helpful when we need to pick up lost connections from other
firewalls, or when a connection has already timed out, but in reality is not closed. NEW 状态告诉我们这个数据包是我们看到的第一个数据包。这意味着在特定的连接中,conntrack 模
块看到的第一个数据包将被匹配。例如,如果我们看到一个 SYN 数据包,并且它是我们在连接中看到的第一
个数据包,它就会被匹配。但是,数据包也可能不是 SYN 数据包而仍然被认为是 NEW。这在某些情况下可
能会导致某些问题,但在我们需要从其他防火墙恢复丢失的连接,或者连接已经超时但实际上并未关闭时,
这也可能非常有用。ESTABLISHED:一个已建立的连接(已接收其开始和结束的数据包)表示连接已建立。The ESTABLISHED state has seen traffic in both directions and will then
continuously match those packets. ESTABLISHED connections are fairly easy to understand.
The only requirement to get into an ESTABLISHED state is that one host sends a packet,
and that it later on gets a reply from the other host. The NEW state will upon receipt of
the reply packet to or through the firewall change to the ESTABLISHED state. ICMP replymessages can also be considered as ESTABLISHED, if we created a packet that in turn
generated the reply ICMP message. ESTABLISHED 状态表示已经在两个方向上看到了流量,并且之后将持续匹配这些数据包。
ESTABLISHED 连接相对容易理解。进入这篇关于iptables(7)扩展模块state的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
