Skip to Content
Navigation:

A stick figure smiling

Here's a preview from my zine, Bite Size Networking! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!

get the zine!
Image of a comic. To read the full HTML alt text, click "read the transcript". get the zine!
read the transcript!

conntrack

not a command line tool:

it’s a Linux kernal system for tracking TCP/UDP connections.

It’s a kernel module called nf-conntrack

conntrack is used for:

  • NAT (in a router!)
  • firewalls (eg only allow outbound connections)

You control it with iptables rules.

conntrack has a table of every connection

Each entry contains:

  • src + dest IP
  • src + dest ports
  • the connection state (eg TIME_WAIT)

how to enable conntrack

enable:
$ sudo modprobe nf_conntrack

check if it’s enabled:
$lsmod | grep conntrack

change table size with the sysct |
net.netfilter.nf_conntrack_max

if the conntrack table gets full, no new connections can start

smiling rectangle: hello?
(SYN packet gets dropped)
sad rectangle: silence

moral: be careful about enabling conntrack!

sad stick person with curly hair: why are connections mysteriously failing?
happy stick figure with medium length straight hair: maybe the conntrack table is full!