TCP connection in iptables

Clear All
In this and subsequent sections we take a closer look at the signs and how they are treated by each of the three basic Protocols TCP, UDP, and ICMP, and also touch on the case when the connection protocol could not be classified in group three, above, protocols. Let’s start with the Transmission Control Protocol (TCP), because it has many interesting features on the mechanism for determining the State in iptables.

A TCP connection is always set the transfer three packages that initialize and establish a connection through which the data will be transmitted later. The session starts with a SYN packet, the answer to which is passed to the SYN/ACK packet and confirms a connection package ACK After the connection is established and ready to transfer data. You might ask: “but what traced the connection?”. In fact, everything is quite simple.

For all types of connections, the trace goes in much the same way. Take a look at the picture below, which shows all the stages of establishing a connection. As you can see, the tracer, from the user’s point of view without actually following the progress of the connection. Just as soon as the first “saw” tracer (SYN) packet, it assigns it the status “NEW”. As soon as the tracer passes the second packet (SYN/ACK), the connection status is ESTABLISHED. Empire is the second package? Now let’s deal. Order your set of rules that you can enable to leave local network packets with a status of NEW and ESTABLISHED, and the incoming traffic flowing only packages with the status ESTABLISHED and everything will work fine. Conversely, if the tracer continued to take it as the NEW connection, in fact you never would have been able to establish a connection with the “outside world”, or would have had to allow the passage of the NEW packages in the local network. From the point of view of the kernel is more complex, since the kernel TCP connections have a number of intermediate states that are not available in the user space. In general terms, these correspond to RFC 793-Transmission Control Protocol on page 21-23. More details on this topic will be considered shortly.

From the user’s point of view everything looks simple enough, but if you look from the point of view of the kernel, it all looks a little bit more difficult. Let’s look at how to change the connection status in the table/proc/net/ip_conntrack. After the first package the SYN.

TCP SYN_SENT 6117 src = dst = sport = 1031 \
dport = 23 [UNREPLIED] src = dst = sport = 23/
dport = 1031 use = 1

As you can see, the entry in the table reflects the current state of the connection is marked fact SYN packet (flag SYN_SENT), to which no reply has yet been (flag [UNREPLIED]). After receiving a packet response, the connection is placed in the next internal state:

TCP 6 57 SYN_RECV src = dst = sport = 1031 \
dport = 23 = src = dst sport dport = 23 = 1031 \
use = 1

Now the record reports that back was SYN/ACK packet; this time, the connection is placed in a State of SYN_RECV. This state indicates that a SYN packet was safely delivered to the recipient and the answer came confirmation packet (SYN/ACK). In addition, the mechanism for determining the State of “seeing” the following packages in both directions, removes the flag [UNREPLIED]. Finally after the final ACK packet, the connection establishment procedure

6 431999 ESTABLISHED TCP src = dst = \
Sport = 1031 dport = 23 = src = dst \
Sport dport = 23 = 1031 use = 1

the connection transitions to the ESTABLISHED (installed). After taking multiple packages via this link, it will flag [SELF-ASSURED] (not sure).

When you close the TCP connection, passes through the following States.

As you can see, the connection is not closed until it is transferred to the last ACK. Note-this picture describes the normal process of closing the connection. In addition, if the connection is refused, then it can be closed by passing the package the RST (reset). In this case, the connection will be closed after a predefined time.

At the close, the connection is placed in a TIME_WAIT state, which by default is 2 minutes, during which another possible passage of packets through the firewall. This is a sort of “buffer time”, which allows you to pass packets “immersed” in the router (the router).

If the connection is closed when the RST packet, it translates into a State CLOSE. Waiting time before actually closing the connection by default is set to 10 seconds. Confirmation on the RST packets not sent and the connection is closed immediately. In addition there are a number of other internal States. The following table lists the possible internal connection States and their corresponding size