Shulou(Shulou.com)06/01 Report--

Iptables itself does not have TRACK target, so you cannot specify a whitelist of packets to be processed by the conntrack module, for example, I want to implement: no track except for the source IP is 192.168.10.

Of course, you can implement my requirements through the following configuration:

Iptables-t raw-A PREROUTING!-s 192.168.10.0Universe 16-j NOTRACK

... Reverse NOTRACK is similar,-s for-d

What if it's a little more complicated? For example, in addition to source IP restrictions, there are protocols, ports, and so on.

Those who are familiar with the design of access control lists all know that the "and" operation of ACL can be implemented in a single rule, while the "OR" operation can be implemented by multiple rules, so it can be applied to the above arbitrary complex requirements, even putting aside the "single and / multiple OR" principle, just extending ipset can well configure arbitrary complex rules to meet arbitrary complex requirements.

But is there an easier way? Of course, you can implement a target opposite to NOTRACK, that is, TRACK target. Its implementation is to clear the untracked conn that is already attached to the skb. So when I need to add a track whitelist, I can do this:

Iptables-t raw-A PREROUTING-j NOTRACK

Iptables-t raw-A PREROUTING $mt1 $mt2...-j TRACK # single matches AND operation

... # more than matches OR operations

Iptables-t raw-A PREROUTING $mt''1$ mt''2...-j TRACK

OK, that's it. It's simple.

However, the fact that iptables does not have a built-in OR operation is fully in line with the concept of ACL, in which multiple rules are configured if you want to implement or. In fact, most authentication systems are like this. If you look at the logical judgment of the C language, you will find the same idea. If it is an AND operation, sentence by sentence has nothing to do with the order, because in the end, you have to calculate all the statements. If it is an OR operation, the calculation efficiency is related to the order. As long as you reach the "true" value, the calculation can be finished. Of course, the internal details are still related to the implementation. So, for the AND operation, because it is closed, a statement can be included, but the OR is not closed, and you don't know where the calculation will end.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.