blob: 5999a8f78261685e84a84270e4cc419032e29a6d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
CONNTRACK=conntrack
SRC=1.1.1.1
DST=2.2.2.2
SPORT=1980
DPORT=2005
case $1 in
dump)
# Setting dump mask
echo "dump mask set to TUPLE"
$CONNTRACK -A -m TUPLE
$CONNTRACK -L
echo "Press any key to continue..."
read
echo "dump mask set to TUPLE,COUNTERS"
$CONNTRACK -A -m TUPLE,COUNTERS
$CONNTRACK -L
echo "Press any key to continue..."
read
echo "dump mask set to ALL"
$CONNTRACK -A -m ALL
$CONNTRACK -L
echo "Press any key to continue..."
read
;;
new)
echo "creating a new conntrack"
$CONNTRACK -I --orig-src $SRC --orig-dst $DST \
--reply-src $DST --reply-dst $SRC -p tcp \
--orig-port-src $SPORT --orig-port-dst $DPORT \
--reply-port-src $DPORT --reply-port-dst $SPORT \
--state LISTEN -u SEEN_REPLY -t 50
;;
get)
echo "getting a conntrack"
$CONNTRACK -G --orig-src $SRC --orig-dst $DST \
-p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \
--reply-port-src $DPORT --reply-port-dst $SPORT
;;
change)
echo "change a conntrack"
$CONNTRACK -I --orig-src $SRC --orig-dst $DST \
--reply-src $DST --reply-dst $SRC -p tcp \
--orig-port-src $SPORT --orig-port-dst $DPORT \
--reply-port-src $DPORT --reply-port-dst $SPORT \
--state TIME_WAIT -u ASSURED,SEEN_REPLY -t 500
;;
delete)
$CONNTRACK -D --orig-src $SRC --orig-dst $DST \
-p tcp --orig-port-src $SPORT --orig-port-dst $DPORT
;;
output)
proc=$(cat /proc/net/ip_conntrack | wc -l)
netl=$($CONNTRACK -L | wc -l)
count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
if [ $proc -ne $netl ]; then
echo "proc is $proc and netl is $netl and count is $count"
else
if [ $proc -ne $count ]; then
echo "proc is $proc and netl is $netl and count is $count"
else
echo "now $proc"
fi
fi
;;
*)
echo "Usage: $0 [dump|new|change|delete|output]"
;;
esac
|
