Master Linux Connection Tracking and iptables: Complete Guide

Connection Tracking (conntrack)

Connection tracking is the foundation of many network applications such as Kubernetes Service, ServiceMesh sidecar, LVS/IPVS, Docker network, OVS, and iptables host firewall, as it records the state of connections.

Conntrack tracks (and records) the state of connections. For example, a Linux machine with IP 10.1.1.2 may have three connections: HTTP (port 80) outbound, FTP (port 21) inbound, and DNS (port 53) outbound.

Conntrack performs the following tasks:

Extract tuple information from packets to identify flows and connections.

Maintain a state database (conntrack table) for each connection, storing creation time, packet count, byte count, etc.

Garbage‑collect expired connections.

Provide services for higher‑level functions such as NAT.

Note that the “connection” in conntrack differs from the TCP/IP notion of a connection‑oriented session.

Netfilter

Linux connection tracking is implemented inside Netfilter.

Netfilter is a kernel framework for packet manipulation and filtering, providing hook points for interception, filtering, or other processing.

While conntrack is often associated with Netfilter, any hook‑capable system can implement its own connection tracking.

Cilium (cloud‑native networking) implements an independent conntrack and NAT mechanism using BPF hooks, allowing it to operate without Netfilter’s tables.

$ cilium bpf nat list
$ cilium bpf ct list global

iptables

iptables is the user‑space tool for configuring Netfilter filtering. Netfilter resides in kernel space; iptables manipulates its rules (accept, reject, drop, etc.).

iptables defines four tables (filter, nat, mangle, raw) and five built‑in chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING). The table‑chain relationship determines where packets are processed.

Common iptables commands: iptables -t filter -L -nvx --line-numbers – list rules with counters. iptables -t filter -A INPUT -s 192.168.1.146 -j DROP – append a rule. iptables -t filter -I INPUT -s 192.168.1.146 -j ACCEPT – insert at the top. iptables -t filter -D INPUT 3 – delete rule number 3. iptables -t filter -R INPUT 3 -s 192.168.1.146 -j ACCEPT – replace rule 3. iptables -t filter -P FORWARD ACCEPT – set default policy.

Saving and restoring rules: service iptables save On CentOS 7, install iptables-services, stop firewalld, and enable the iptables service to use the same commands.

yum install -y iptables-services
systemctl stop firewalld
systemctl disable firewalld
systemctl start iptables
systemctl enable iptables

Alternatively, use iptables-save > /etc/sysconfig/iptables and iptables-restore < /etc/sysconfig/iptables.

Match Extensions

When multiple match conditions are present, they are AND‑ed together.

Common options: -s source address (single, list, or CIDR). -d destination address. -p protocol (tcp, udp, icmp, etc.). -i input interface (cannot be used in OUTPUT/POSTROUTING). -o output interface (cannot be used in INPUT/PREROUTING).

TCP extensions ( -m tcp) include --sport, --dport, --tcp-flags, and --syn. Example:

iptables -t filter -I INPUT -p tcp -m tcp --dport 22 -j REJECT

UDP extensions ( -m udp) include --sport and --dport.

iptables -t filter -I INPUT -p udp -m udp --dport 137 -j ACCEPT

ICMP extensions ( -m icmp) use --icmp-type.

iptables -t filter -I INPUT -p icmp -m icmp --icmp-type 8 -j REJECT

Other modules: multiport, iprange, string, time, connlimit, limit, state, etc., each with specific options for matching ports, address ranges, payload strings, time windows, connection limits, rate limits, and connection states (NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED).

# Example: limit ICMP to one packet per 6 seconds
iptables -t filter -I INPUT -p icmp -m limit --limit-burst 3 --limit 10/minute -j ACCEPT
iptables -A INPUT -p icmp -j REJECT

State module example to allow only established traffic:

iptables -t filter -I INPUT -m state --state ESTABLISHED -j ACCEPT

mangle Table

The mangle table modifies packet marks, TOS, or TTL for policy routing. Example: mark TCP port 80 packets with mark 1 and UDP port 53 packets with mark 2, then route based on marks.

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 53 -j MARK --set-mark 2
ip rule add from all fwmark 1 table 10
ip rule add from all fwmark 2 table 20
ip route add default via 10.10.1.1 dev eth1 table 10
ip route add default via 10.10.2.1 dev eth2 table 20

Custom Chains

Custom chains simplify rule management. Create, reference, rename, and delete custom chains as needed.

# Create custom chain IN_WEB
iptables -t filter -N IN_WEB
# Jump to it from INPUT for port 80
iptables -t filter -I INPUT -p tcp --dport 80 -j IN_WEB
# Rename chain
iptables -E IN_WEB WEB
# Delete chain (after flushing)
iptables -t filter -F WEB
iptables -t filter -X WEB

LOG Target

The LOG target records packet information to /var/log/messages or a custom file. Configure rsyslog to direct kernel warnings to a dedicated log.

kern.warning /var/log/iptables.log
service rsyslog restart

Example: log new connections to port 22 with a prefix.

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-prefix "want-in-from-port-22"