Here's a preview from my zine, Bite Size Networking!! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!
get the zine!
read the transcript!
conntrack
not a command line tool:
it’s a Linux kernal system for tracking TCP/UDP connections.
It’s a kernel module called nf-conntrack
conntrack is used for:
- NAT (in a router!)
- firewalls (eg only allow outbound connections)
You control it with iptables rules.
conntrack has a table of every connection
Each entry contains:
- src + dest IP
- src + dest ports
- the connection state (eg
TIME_WAIT)
how to enable conntrack
enable:
$ sudo modprobe nf_conntrack
check if it’s enabled:
$lsmod | grep conntrack
change table size with the sysct |
net.netfilter.nf_conntrack_max
if the conntrack table gets full, no new connections can start
smiling rectangle: hello?
(SYN packet gets dropped)
sad rectangle: silence
moral: be careful about enabling conntrack!
sad stick person with curly hair: why are connections mysteriously failing?
happy stick figure with medium length straight hair: maybe the conntrack table is full!
Saturday Morning Comics!
Want another comic like this in your email every Saturday? Sign up here!
