understanding ip_conntrack entry

understanding ip_conntrack entry

[Leonardo Rodrigues ( listas )]

    Hello Guys,

    I'd like your help to understand this entry from /proc/net/ip_conntrack:

tcp      6 325849 ESTABLISHED src=192.168.10.1 dst=192.168.229.25
sport=53699 dport=80 [UNREPLIED] \
    src=192.168.229.25 dst=192.168.10.1 sport=80 dport=53699 use=1


    Well ...... 192.168.10.1 is my iptables box and 192.168.229.25 is one of
my remote machines. My question is .... if this connection is marked as
ESTABLISHED, shouldnt it appear on 'netstat -an' entries ??? I think it
should, but it's not appearing there .....

    Sincerily,
    Leonardo Rodrigues

Re: understanding ip_conntrack entry

[Antony Stone]

On Thursday 03 October 2002 9:05 pm, Leonardo Rodrigues ( listas ) wrote:

>     Hello Guys,
>
>     I'd like your help to understand this entry from
> /proc/net/ip_conntrack:
>
> tcp      6 325849 ESTABLISHED src=192.168.10.1 dst=192.168.229.25
> sport=53699 dport=80 [UNREPLIED] \
>     src=192.168.229.25 dst=192.168.10.1 sport=80 dport=53699 use=1
>
>     Well ...... 192.168.10.1 is my iptables box and 192.168.229.25 is one
> of my remote machines. My question is .... if this connection is marked as
> ESTABLISHED, shouldnt it appear on 'netstat -an' entries ??? I think it
> should, but it's not appearing there .....

You might think so, but no, in this case your connection won't show up in 
netstat because it hasn't completed a TCP handshake.   The description 
'ESTABLISHED' in connection tracking is not the same as 'established' in 
TCP-speak :-(

The clue here is in the note above: [UNREPLIED].

As you can see there was a packet in each direction (the one with 
src=192.168.10.1 and the one with src=192.168.229.25) and this is what causes 
netfilter to consider the state of the connection to be ESTABLISHED - at 
least one packet has been seen each way on the link.   However if you haven't 
successfully completed the TCP 3-way handshake: SYN; SYN-ACK; ACK then it 
won't be regarded as an established connection by netstat (and indeed it 
isn't as far as the TCP/IP stack is concerned).

It's impossible to tell from the conntrack entry quite what packets went each 
way; to learn this you'd have to add some LOGging rules to your firewall or 
run a packet sniffer on one of the connections to see exactly what packets 
with what flags set actually go in each direction.

Antony.

-- 

This is not a rehearsal.
This is Real Life.

Re: understanding ip_conntrack entry

[Michael]

netstat uses files in /proc/net (from netstat man page) :
/proc/net/dev -- device information

/proc/net/raw -- raw socket information

/proc/net/tcp -- TCP socket information

/proc/net/udp -- UDP socket information

/proc/net/igmp -- IGMP multicast information

/proc/net/unix -- Unix domain socket information

/proc/net/ipx -- IPX socket information

/proc/net/ax25 -- AX25 socket information

/proc/net/appletalk -- DDP (appletalk) socket information

/proc/net/nr -- NET/ROM socket information

/proc/net/route -- IP routing information

/proc/net/ax25_route -- AX25 routing information

/proc/net/ipx_route -- IPX routing information

/proc/net/nr_nodes -- NET/ROM nodelist

/proc/net/nr_neigh -- NET/ROM neighbours

/proc/net/ip_masquerade -- masqueraded connections

/proc/net/snmp -- statistics

It doesn't use or know anything about ip_conntrack
Therefore any statefull activity cannot be shown in netstat. Maybe it 
needs re-writing ?? :)

Cheers,
Michael



Leonardo Rodrigues ( listas ) wrote:

>    Hello Guys,
>
>    I'd like your help to understand this entry from /proc/net/ip_conntrack:
>
>tcp      6 325849 ESTABLISHED src=192.168.10.1 dst=192.168.229.25
>sport=53699 dport=80 [UNREPLIED] \
>    src=192.168.229.25 dst=192.168.10.1 sport=80 dport=53699 use=1
>
>
>    Well ...... 192.168.10.1 is my iptables box and 192.168.229.25 is one of
>my remote machines. My question is .... if this connection is marked as
>ESTABLISHED, shouldnt it appear on 'netstat -an' entries ??? I think it
>should, but it's not appearing there .....
>
>    Sincerily,
>    Leonardo Rodrigues
>
>
>
>
>  
>

Re: understanding ip_conntrack entry

[Eric Leblond]

>>my remote machines. My question is .... if this connection is marked as
>>ESTABLISHED, shouldnt it appear on 'netstat -an' entries ??? I think it
>>should, but it's not appearing there .....

No, netstat give you information about sockets created on your box
and not about your box acting as a routeur. That's why you don't see things
appearing in ip_conntrack if your machine is not or source or destination
of the packet.
--
Eric Leblond
e-mail: eleblond@init-sys.com

Re: understanding ip_conntrack entry

[Antony Stone]

On Friday 04 October 2002 9:31 am, Eric Leblond wrote:

> >>my remote machines. My question is .... if this connection is marked as
> >>ESTABLISHED, shouldnt it appear on 'netstat -an' entries ??? I think it
> >>should, but it's not appearing there .....
>
> Netstat give you information about sockets created on your box
> and not about your box acting as a router.

That is true, indeed.

> That's why you don't see things appearing in ip_conntrack if your machine
> is not or source or destination of the packet.

Also true, however in this case the netfilter machine *was* one of the 
endpoints of the connection :-)

Antony.

-- 

All matter in the Universe can be placed into one of two categories:

1. things which need to be fixed
2. things which will need to be fixed once you've had a few minutes to play 
with them