問題
linux conntrackコマンドを実行すると、フローデータを表示できない。
現象
<1>Terminal 1 ( http requestを出します。)
admin@ip-172-31-8-4:~$ curl yahoo.co.jp
<HTML>
<HEAD>
<TITLE>Document Has Moved</TITLE>
</HEAD>
<BODY BGCOLOR="white" FGCOLOR="black">
<H1>Document Has Moved</H1>
<HR>
<FONT FACE="Helvetica,Arial"><B>
Description: The document you requested has moved to a new location. The new location is "https://www.yahoo.co.jp/".
</B></FONT>
<HR>
</BODY>
admin@ip-172-31-8-4:~$
<2> Terminal 2 (TCP connectionを監視しますが、データなし)
admin@ip-172-31-8-4:~$ sudo conntrack -L
conntrack v1.4.5 (conntrack-tools): 0 flow entries have been shown.
admin@ip-172-31-8-4:~$ sudo conntrack -E
^Cconntrack v1.4.5 (conntrack-tools): 0 flow events have been shown.
admin@ip-172-31-8-4:~$
原因と解決策
Conntrack only becomes active if your iptables or nftables ruleset has at least one conntrack-based rule (e.g. nftables ct or iptables -m state, or a NAT/masquerade rule, or possibly -j REJECT), otherwise its conntrack_ops are unregistered – most likely to avoid the extra resource usage.
sudo iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
又は、
sudo iptables -A INPUT -m state --state established,related -j ACCEPT
再度確認して、結果が出てくるようになりました。
admin@ip-172-31-8-4:~$ sudo conntrack -E
[NEW] udp 17 30 src=172.31.8.4 dst=172.31.0.2 sport=38551 dport=53 [UNREPLIED] src=172.31.0.2 dst=172.31.8.4 sport=53 dport=38551
[UPDATE] udp 17 30 src=172.31.8.4 dst=172.31.0.2 sport=38551 dport=53 src=172.31.0.2 dst=172.31.8.4 sport=53 dport=38551
[UPDATE] udp 17 179 src=172.31.8.4 dst=172.31.0.2 sport=38551 dport=53 src=172.31.0.2 dst=172.31.8.4 sport=53 dport=38551 [ASSURED]
[NEW] tcp 6 120 SYN_SENT src=172.31.8.4 dst=183.79.135.206 sport=52250 dport=80 [UNREPLIED] src=183.79.135.206 dst=172.31.8.4 sport=80 dport=52250
[UPDATE] tcp 6 60 SYN_RECV src=172.31.8.4 dst=183.79.135.206 sport=52250 dport=80 src=183.79.135.206 dst=172.31.8.4 sport=80 dport=52250
[UPDATE] tcp 6 432000 ESTABLISHED src=172.31.8.4 dst=183.79.135.206 sport=52250 dport=80 src=183.79.135.206 dst=172.31.8.4 sport=80 dport=52250 [ASSURED]
[UPDATE] tcp 6 119 FIN_WAIT src=172.31.8.4 dst=183.79.135.206 sport=52250 dport=80 src=183.79.135.206 dst=172.31.8.4 sport=80 dport=52250 [ASSURED]
[UPDATE] tcp 6 29 LAST_ACK src=172.31.8.4 dst=183.79.135.206 sport=52250 dport=80 src=183.79.135.206 dst=172.31.8.4 sport=80 dport=52250 [ASSURED]
[UPDATE] tcp 6 119 TIME_WAIT src=172.31.8.4 dst=183.79.135.206 sport=52250 dport=80 src=183.79.135.206 dst=172.31.8.4 sport=80 dport=52250 [ASSURED]
^Cconntrack v1.4.5 (conntrack-tools): 9 flow events have been shown.
admin@ip-172-31-8-4:~$ sudo conntrack -L
tcp 6 299 ESTABLISHED src=172.31.11.10 dst=172.31.8.4 sport=40526 dport=22 src=172.31.8.4 dst=172.31.11.10 sport=22 dport=40526 [ASSURED] mark=0 use=1
tcp 6 102 TIME_WAIT src=172.31.8.4 dst=183.79.135.206 sport=52250 dport=80 src=183.79.135.206 dst=172.31.8.4 sport=80 dport=52250 [ASSURED] mark=0 use=1
icmp 1 8 src=172.31.8.4 dst=172.31.11.10 type=8 code=0 id=1581 src=172.31.11.10 dst=172.31.8.4 type=0 code=0 id=1581 mark=0 use=1
tcp 6 431982 ESTABLISHED src=172.31.11.10 dst=172.31.8.4 sport=40524 dport=22 src=172.31.8.4 dst=172.31.11.10 sport=22 dport=40524 [ASSURED] mark=0 use=1
udp 17 161 src=172.31.8.4 dst=172.31.0.2 sport=38551 dport=53 src=172.31.0.2 dst=172.31.8.4 sport=53 dport=38551 [ASSURED] mark=0 use=1
conntrack v1.4.5 (conntrack-tools): 5 flow entries have been shown.
admin@ip-172-31-8-4:~$