blob: 6f5190a5da9124a2d84a98779ab2f0938ac8b46f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
.TH NFCT 8 "Feb 29, 2012" "" ""
.\" Man page written by Pablo Neira Ayuso <pablo@netfilter.org> (Feb 2012)
.SH NAME
nfct \- command line tool to interact with the connection tracking system
.SH SYNOPSIS
.BR "nfct subsystem command [parameters]"
.SH DESCRIPTION
.B nfct
is the command line tool that allows you Netfilter's manipulate Connection Tracking System.
.SH SUBSYS
By the time this manpage has been written, the supported subsystem are
.B timeout
.TP
.BI "timeout "
The timeout subsystem allows you to define fine-grain timeout policies.
.TP
.BI "version "
Displays the version information.
.TP
.BI "help "
Displays the help message.
.SH TIMEOUT SUBSYSTEM
.TP
.BI "list "
List the existing timeout policies.
.TP
.BI "add "
Add new timeout policy.
.TP
.BI "delete "
Delete timeout policy.
.TP
.BI "get "
Get existing timeout policy.
.SH EXAMPLE
.TP
.B nfct timeout add test-tcp inet tcp established 100 close 10 close_wait 10
.TP
This creates a timeout policy for tcp using 100 seconds for the ESTABLISHED state, 10 seconds for CLOSE state and 10 seconds for the CLOSE_WAIT state.
.TP
Then, you can attach the timeout policy with the iptables CT target:
.TP
.B iptables -I PREROUTING -t raw -p tcp -j CT --timeout test-tcp
.TP
.B iptables -I OUTPUT -t raw -p tcp -j CT --timeout test-tcp
.TP
You can test that the timeout policy with:
.TP
.B conntrack -E -p tcp
.TP
It should display:
.TP
.B [UPDATE] tcp 6 100 ESTABLISHED src=192.168.39.100 dst=57.126.1.20 sport=56463 dport=80 src=57.126.1.20 dst=192.168.39.100 sport=80 dport=56463 [ASSURED]
.SH SEE ALSO
.BR iptables (8), conntrack (8)
.SH BUGS
Please, report them to netfilter-devel@vger.kernel.org or file a bug in
Netfilter's bugzilla (https://bugzilla.netfilter.org).
.SH AUTHORS
Pablo Neira Ayuso wrote and maintains the nfct tool.
.PP
Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
|