Network address translation part 2 – the conntrack tool

This is the second article in a series about network address translation NAT. The first article introduced how to use the iptablesnftables packet tracing feature to find the source of NAT-related connectivity problems. Part 2 introduces the conntrack command. conntrack allows you to inspect and modify tracked connections.

NAT configured via iptables or nftables builds on top of netfilters connection tracking facility. The conntrack command is used to inspect and alter the state table. It is part of the 8220conntrack-tools8221 package.

The connection tracking subsystem keeps track of all packet flows that it has seen. Run 8220sudo conntrack -L8221 to see its content.

Each line shows one connection tracking entry. You might notice that each line shows the addresses and port numbers twice and even with inverted address and port pairs This is because each entry is inserted into the state table twice. The first address quadruple source and destination address and ports are those recorded in the original direction i.e. what the initiator sent. The second quadruple is what conntrack expects to see when a reply from the peer is received. This solves two problems.


Read Full Post

News Link:
RSS Link:

Linux Chatter is a news aggregator service that curates some of the best Linux, Cloud, Technical Guides, Hardware and Security news. We display just enough content from the original post to spark your interest. If you like the topic, then click on the 'read full post' button to visit the author's website. Use Linux Chatter to find content from amazing authors!

Note: The content provided has been modified and is not displayed as intended by the author. Any trademarks, copyrights and rights remain with the source.

Disclaimer: Linux Chatter sources content from RSS feeds and personal content submissions. The views and opinions expressed in these articles are those of the authors and do not necessarily reflect those of Linux Chatter.