搜索

此内容没有您所选择的语言版本。

7.6. iptables and Connection Tracking

download PDF
iptables includes a module that allows administrators to inspect and restrict connections to services available on an internal network using a method called connection tracking. Connection tracking stores connections in a table, which allows administrators to allow or deny access based on the following connection states:
  • NEW — A packet requesting a new connection, such as an HTTP request.
  • ESTABLISHED — A packet that is part of an existing connection.
  • RELATED — A packet that is requesting a new connection but is part of an existing connection, such as passive FTP connections where the connection port is 20, but the transfer port can be any unused port 1024 or higher.
  • INVALID — A packet that is not part of any connections in the connection tracking table.
You can use the stateful functionality of iptables connection tracking with any network protocol, even if the protocol itself is stateless (such as UDP). The following example shows a rule that uses connection tracking to forward only the packets that are associated with an established connection:
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.