Above, I briefly introduced a lot of options, but this is just in the kernel 2.4.9. To see more options, I suggest you go to Netfilter to see Patch-O-Matic. There, there are some other options. POM may be added to the kernel, of course, there is no. There are many reasons, such as, still unstable, Linus Torvalds are not intended or not to put these patches into the mainstream kernel because they are still experimenting. Compile the following option into the kernel or compile into modules, rc.firewall.txt can use. * CONFIG_PACKET * CONFIG_NETFILTER * CONFIG_IP_NF_CONNTRACK * CONFIG_IP_NF_FTP * CONFIG_IP_NF_IRC * CONFIG_IP_NF_IPTABLES * CONFIG_IP_NF_FILTER * CONFIG_IP_NF_NAT * CONFIG_IP_NF_MATCH_STATE * CONFIG_IP_NF_TARGET_LOG * CONFIG_IP_NF_MATCH_LIMIT * CONFIG_IP_NF_TARGET_MASQUERADE above is the least option to ensure the normal work rc.firewall.txt needed. Other scripts needed to have an explanation in the corresponding chapter. At present, we only need to pay attention to this script to learn. 2.3. Compile and install below, let's take a look at how to compile iptables. IPTables Many components are configured, compile with the configuration of the kernel, compiled and associated, understanding this is important. Some Linux products are pre-installed with iptables, such as Red Hat, but its default settings do not enable iptables. We will introduce it to how to enable it, and you will also introduce iptables in other Linux products. 2.3.1. Compile first to extract the iptables package. Here, I use iptables 1.2.6a (Translator Note: When I translate, the latest version is already 1.2.9, which has many improvements, fix some bugs, add several Match and Target.) . Command bzip2 -cd iptables-1.2.6a.tar.bz2 | tar -xvf - (of course, TAR -XJVF iptables-1.2.6a.tar.bz2 can also be used, but this command may not apply to some old version of Tar not applicable) The compressed package is decompressed to the directory iptables-1.2.6a, where the install file has many information for compilation and running. This step, you will be configured, install some additional modules, or add some options for the kernel. We just check this, install some patches that are not included in the kernel. Of course, more patchs in the experimental phase will only be used only when other certain operations are performed. Note has some patches only in the experimental phase, and it is not a good idea to install them. This step, you will encounter a lot of interesting matching and the operation of packets, but they are still experimenting. To accomplish this step, we have to use some commands in the directory of iptables: make pointing-patches kernel_dir = / usr / src / linux / variable kernel_dir points to the true path of the kernel's original code. Under normal circumstances, it is / usr / src / linux /, but will not be the same, this depends on the Linux product you use. Note In short, only certain patches will be asked to join the kernel, and NetFilter's developers have a lot of patches or attachments to join the kernel, but they have to be experimentally.
If you want to install these things, use the following command: make Most-of-pom kernel_dir = / usr / src / linux / this command will install some of the Patch-O-Matic (Netfilter World's name of the patch), ignored It is very extreme part that may cause serious damage to the kernel. You have to know the role of this command, to understand their influence on kernel's original code, it will be prompted before you choose. The following command can install all Patch-O-Matic (Translator Note: Be careful). Make Patch-o-matic kernel_dir = / usr / src / linux / To read each patch's help file, because some Patch-O-Matic will damage the kernel, and some have destroyed other patches. Note, if you don't plan to use the Patch-O-Matic to repair the kernel, the above commands can not be used, they are not required. However, you can use these commands to see what interesting stuff, this will not affect anything. Installing Patch-O-Matic, should now recompile the kernel because some patches have been added. But don't forget to reconfigure the kernel, you can do not have information on your added patch in the existing configuration file. Of course, you can also compile iptables first, then compile the kernel. Next, IPTables, use the following simple command: make kernel_dir = / usr / src / linux / iptables should be compiled, if not, consider considering the problem, please subscribe to Netfilter Mailing List, there may be someone Can help you. Everything goes well, we should install iptables, this is hard to have any problems. We use the following command to complete this step: make install kernel_dir = / usr / src / linux / now is very successful. If you don't recompile it in front, install the kernel, now you have to do it, otherwise, you still can't use the updated iptables. Take a look at Install, there is a detailed installation information. 2.3.2. Install Red Hat 7.1 on Red Hat 7.1 Using 2.4.x kernel, support Netfilter and iptables. Red Hat contains all basic programs and needs, but the default is b class = command> ipchains. "Why can't IPTables can't be used" is the most common problem. Let us let us talk about how to close ipchains and use iptables. Notered Hat 7.1 pre-installed iptables versions are old, before use, you may want to install a new, and compile the kernel yourself. Let's first turn off ipchains and don't want it to run, do this, to change some of the file names under the directory /etc/rc.d/. Complete with the following command: chkconfig --level 0123456 ipchains off This command renamed all soft connections to /etc/rc.d/init.d/ipchains to K92IPchains. Taking the beginning, this script is run by the initialization script at startup. After the start of K, it indicates that the service is terminated, or it will not run in the startup. In this way, Ipchains will not be turned on again. To terminate the running service, use the service command. The command to terminate the ipchains service is: Service Ipchains Stop Now, we can launch the iptables service.
First, to determine which run layer is running, it is generally 2, 3 and 5, which have different use: * 2. The difference between multi-user environments without NFS, and the difference between layer 3 is only for network support. * 3. Multi-user environment is our generally used layer. * 5. X11, graphical interface. Use the following command to run iptables to run in these layers: ChkConfig --Level 235 iptables ON You can also use this command to enable iptables to run on other layers. But there is not this, because layer 1 is single user mode, generally used in repair; layer 4 reserves no need; layer 6 is used to turn off the computer. Start iptables Use: Service iptables Start There is no rule in script iptables. The method of adding rules in Red Hat 7.1 has two: The first method is to edit /etc/rc.d/init.d/iptables, pay attention to the existing rules may be deleted when upgrading IPTables with RPM. Another method is to load the rules, then save the rules to the file with the command iptables-save, and then load it by the script under the directory RC.D (/etc/rc.d/init.d/iptables). Let's first explain how to use the "shear paste Dafa" setting /etc/rc.d/init.d/iptables. In order to launch the IPTables when the computer is launched, the rules can be placed in the "start" section or function start (). Note: If the rule is placed in the "START" section, don't run start () in the "Start" festival, you have to edit the "STOP" section so that it is when it is shut down or when you enter a layer that doesn't require iptables. The script knows how to handle it. It should also be checked to check the settings of the "Restart" section and "Condrestart" section. Be sure to note that the changes we do may be deleted when upgrading iptables, regardless of the automatic upgrade of the Red Hat network or RPM. The second method is described below: write a rule script first, or use the iptables command to generate a rule. The rules should be suitable for their needs, don't forget whether there is a problem with the experiment, after confirming the normal, use the command iptables-save to save the rules. Generally use iptables-save> / etc / sysconfig / iptables to generate files / etc / sysconfig / iptables, you can also use Service Iptables Save, which automatically saves rules in / etc / sysconfig / iptables. When the computer starts, the script under RC.D will use the command iptables- restore to automatically recover the rules. The above two methods are best not mixed, so as not to affect the rules defined by different methods, even make the firewall settings are invalid. At this point, the pre-installed IPChains and IPTables can be deleted, which avoids conflicts between new and old version of iptables. In fact, this only needs to do this when you install it from the original code. However, in general, there will be no mutual impact, as RPM-based packages do not use the original default directory. Delete the following command: rpm -e iptables, now you don't need ipchains? Delete! The order is as follows: rpm -e ipchains have been hard, and victory is finally coming. You have been able to install iptables from the source code. Those old version deletes it. Chapter 3. Table and Chapter This chapter we discuss what the packet is in order, how to cross different chains and tables. Later, when you write rules yourself, you will know how important this order is.
Some components are iptables and kernels, for example, the data packet routing judgment. It is important to understand this, especially when you use iptables to change the route of packets. This will help you understand how the packet is, why is it routed by that, a good example is DNAT and SNAT, don't forget the role of TOS. 3.1. Overview When the packet reaches the firewall, if the MAC address is in line with the corresponding driver, it will be received by a series of operations, which is determined whether to send to the local program, or forward to other machines, or other other What. Let's first look at the local packet, it will go through the following steps to reach the program to receive it: there is a word mangle below, I really didn't expect any suitable words to express this meaning, just because of mine English is too bad! I can only write my understanding. The expression of this word is that some transmission characteristics of the packet are modified, and the operations allowed in the mangle table are TOS, TTL, and Mark. In other words, as long as we see this word, we can understand its role. Table 3-1. Table Step in the local target (that is, our own machine), Table (Table) CHAIN Comment (Note) 1 Transfer (for example, Internet) 2 Enter the interface (for example, Eth0) 3 mangle preloading This chain uses to Mangle packets, such as changing TOS, etc. 4 Nat preording this chain is mainly used to do DNAT. Don't worry about this chain, because in some cases you slip over. 5 routing judgment, for example, the package is sent to the local or forwarded. 6 Mangle Input After the route, the Mangle packet is sent to the local program. 7 Filter INPUT All the local-purpose packages must pass this chain, no matter where they come, the filtration conditions of these packages are located here. 8 Reach the local program (such as a service programs or client program) Note, compared to previous (translator Note: means ipchain) now the packet is chained by the Input, not the Forward chain. This is more in line with logic. Just looks not very well understood, but think about it, I will realize it. Now let's take a look at the source address. What steps are you going to pass by: Table 3-2. Take the local package Step Table Chain Comment1 local programs (such as servers or client programs) 2 routing, to use the source Address, out of the interface, there are other information. 3 Mangle Output can be a mangle package here. It is recommended not to filter it here, there may be side effects. 4 Nat Output This link is DNAT operation from the package emitted from the firewall itself. 5 Filter Output is filtered to the local package. 6 mangle postrouting This chain is mainly after the package DNAT (the translator Note: The author refers to this DNAT as the actual route, although there is a routing in front. For the local package, once it is generated, it must pass the routing code. Processing, but this package is specific to where it is to be determined later. So this is called this actual route.), Before leaving local, packet mangle. There are two packages that will pass through this, and the package produced by the firewall itself is also a forwarded package. 7 Nat PostRouting is here for SNAT.
But don't filter it here, because there is side effects, and some packages will slip over, even if you use a DROP policy. 8 Leaving the interface (such as: eth0) 9 Transport on the line (for example, the Internet) In this example, we assume that the purpose of a package is a machine in another network. Let's take a look at this bag: Table 3-3. The forwarded package Step Table Chain Comment1 is transmitted over the line (for example, Internet) 2 Enter the interface (for example, eth0) 3 mangle preloading mangle packet, such as changing TOS Wait. 4 Nat preording This chain is mainly used for DNAT. Don't worry about this chain, because in some cases you slip over. Will do Snat later. 5 routing judgment, for example, the package is sent to the local or forwarded. The 6 Mangle Forward package continues to be sent to the Forward chain of the mangle table, which is very special. Here, is it covered by mangle (Remember Mangle's meaning). This time the MANGLE happened before the initial routing, before the last change package (the translator Note: It is done by the FORWARD chain below, because its filtering function, may change some destination, such as discard the package ). 7 Filter Forward packets continue to be sent to this Forward chain. Only if you need to forward the package will come here, and all filtrations for these packets are also taken here. Note that all the packs to be forwarded must go through it, whether it is the external network to the intranet, an intranet to the external network. This is to take into account this when you write a rule. 8 mangle postrouting This chain is also for some special types of packages (translator Note: Refer to step 6, we can find that both of the Both chains of the mangle table are used in special applications when forwarding the package). This step Mangle is done after the operation of all the destination addresses of all changing packages, but this package is still on local. 9 Nat PostRouting This chain is used to do SNAT, and of course, Masquerade is also included. But don't do it here, because some packages will pass even if it is not satisfied. 10 Leaving the interface (such as: eth0) 11 Transfer (for example, LAN) on the line (for example, LAN) is as you can see, the package is going to experience many steps, and they can be blocked on any chain, or any problematic place . Our main interest is the outline of iptables. Note that there is no special chain and table for different interfaces. All packs that need to be forwarded by firewall / router must pass through the Forward chain. Do not filter it on the INPUT chain in the Input chain in the input chain. INPUT is designed to operate the package of the address of our machine, which will not be routed to other places. Now let's take a look at what different chains have been used in the above three situations. The illustration is as follows: To figure out the picture above, it can be considered this. At the first routing judgment, it is not sent to the local package, we will send it through the Forward chain. If the purpose of the package is the IP address of the local listener, we will send this package through the INPUT chain, and finally reach local. It is worth noting that during the process of doing NAT, the destination address sent to this unit may be changed in the preording chain. This operation occurs before the first route, so after the address is changed, the package can be routed. Note that all packs will pass through a path in the figure above.
If you put a package DNAT back to its original network, this package will continue to walk through the remaining chains on the corresponding path until it is sent back to the original network. Tip wants more information, you can take a look at rc.test-iptables.txt, this script includes some rules, which will show you how to pass all tables and chains. 3.2. Mangle Table This table is primarily used by mangle packages, you can use the mangle match to change the TOS and other features of the package. CAUTION strongly recommends that you don't filter anything in this table, whether it is DANT, SNAT or MASQUERADE. The following is a few operations in the mangle table: * TOS * TTL * Marktos operation is used to set or change the service type domain of the packet. This is often used to set up a policy of how the data packet on the network is routed. Note that this operation is not perfect, sometimes it is willing. It can't be used on the Internet, and many routers do not notice this domain value. In other words, don't set the package to the Internet unless you plan to rely on TOS to route, such as use iProute2. TTL operations are used to change the living time domain of the packet, and we can let all packets have only one special TTL. Its existence has a good reason, that is, we can deceive some ISPs. Why deceive them? Because they are not willing to let us share a connection. Those ISPs will look for whether a separate computer uses different TTLs, and with this as a sign that the connection is shared. Mark is used to set a special mark to the package. iProute2 can identify these tags and determine different routes according to different tags (or no tags). Use these tags we can do bandwidth restrictions and request-based categories. 3.3. NAT Table Table is only used for NAT, which is the source or destination address of the converted package. Note that just that we have said earlier, only the first package of the stream will be matched by this chain, and thereafter, the package will automatically do the same processing. The actual operation is divided into the following categories: * DNAT * Snat * Masqueradednat operation is mainly used in such a case, you have a legitimate IP address, to redirect access to the firewall to other machines (such as DMZ). That is, we changed the destination address to make the package can be reached to a host. SNAT changes the source address of the package, which can hide your local network or DMZ, etc. A good example is that we know the external address of the firewall, but must replace the local network address with this address. With this operation, the firewall can automatically do SNAT and DE-SNAT (in reverse SNAT) to the Internet to connect the LAN to the Internet. If you use an address like 192.168.0.0.054, it will not respond from the Internet. Because IANA defines these networks (other), it can only be used inside the LAN. Masquerade's role is exactly the same as Masquerade, just a little bit a little bit. Because of each matching package, Masquerade is looking for available IP addresses, rather than the IP address of SNAT is configured. Of course, this is also advantageous, we can use the addresses obtained by PPP, PPPOE, SLIP, etc., which are randomly assigned by ISP DHCP. 3.4. Filter Table Filter Table is used to filter the packet, we can match the package and filter them at any time. We are here to do DROP or ACCEPT according to the content of the package. Of course, we can also do some filtration in other places, but this group is designed to filter. Almost all Targets can be used here. A large amount of specific introduction is behind, now you know that the filter is mainly completed here. Chapter 4. State mechanism This chapter will detail the status mechanism.
Read this chapter, you will have a comprehensive understanding of how the status mechanism works. We use some examples to explain the state mechanism. Practice the real knowledge. 4.1. Overview The state mechanism is a special part of iptables, in fact it should not be called the status mechanism because it is just a connection tracking mechanism. However, many people are recognized by the state mechanism. I also use this name in the text to represent the same meaning as the connection. This should not cause any confusion. Connection tracking allows NetFilter to know the status of a particular connection. The firewall running the connection track is called a firewall with a state mechanism, hereinafter referred to as a status firewall. Status firewall is safe than non-state firewall because it allows us to write a strict rule. In iptables, packages are related to four different states that are tracked. They are New, Established, Related and Invalid. Later we will discuss each state in depth. Using -State matching operation, we can easily control "whoever can initiate a new session". All connection tracks made by the Netfilter's specific framework in the kernel are called Concentrack (Translator Note: The first letters of Connection Track). Concentrack can be installed as a module or as part of the kernel. In most cases, we want, more detailed connection tracking, which is compared to the default Conntrack. Because of this, there are many components for handling TCP, UDP, or ICMP protocols in ConNTrack. These modules extract detailed, unique information from the packet, thus maintaining tracking of each data stream. This information also informs the CONNTRACK current state. For example, the UDP stream is generally uniquely determined by their destination address, source address, destination port, and source port. In the previous kernel, we can turn the reorganization function on or off. However, since iptables and Netfilter, especially the connection tracking is introduced into the kernel, this option is canceled. Because there is no bag, the connection tracking cannot work properly. Now the recombination has been integrated into the Concentrack and starts automatically when the Concentrack is started. Do not turn off the reorganization, unless you want to turn off the connection tracking. All connection tracks are processed in the preording chain in addition to the Output chain process, in addition to the PREROUTING chain, meaning that iptables will calculate all states from the preverting chain. If we send a stream initialization package, the status will be set to new in the Output chain. When we receive the bag, the status is set to Established in the preording chain. If the first packet is not generated locally, it will be set to the new state in the preording chain. In summary, all state changes and calculations are completed in the preording chain in the NAT table and the Output chain. 4.2. Concentrack Record Let's take a look at how to read the CONNTRACK record in / proc / net / ip_conntrack. These records represent the current tracked connection. If the IP_CONNTRACK module is installed, the display of CAT / PROC / NET / IP_CONNTRACK is similar: TCP 6 117 SYN_SENT SRC = 192.168.1.6 DST = 192.168.1.9 Sport = 32775 / DPORT = 22 [unreplied] SRC = 192.168.1.9 DST = 192.168. 1.6 Sport = 22 / dport = 32775 USE = 2ConNTrack Module Maintenance All information is included in this example, and you can know what a particular connection is in.
The first display is the protocol, which is TCP, followed by decimal 6 (Translator Note: TCP protocol type code is 6). The subsequent 117 is the survival time of this Conntrack record, which will be regularly consumed until more packages are received. At that time, this value was set to the default value of the state at the time. The next thing is the state of this connection in the current time point. The above example shows that this package is in the state syn_sent, this value is iptables displayed so that we understand, and the value used is slightly different. SYN_SENT shows that this connection we are observing is only a TCP SYN package in one direction. Then the following is the source address, destination address, source port, and destination port. There is a special word unreplied, indicating that this connection has not received any response. Finally, it is desirable to receive the information of the response package, and their address and port are opposite to the front. The information of the connection tracking record is different depending on the protocol contained in the IP, all corresponding values are defined in the header file Linux / Include / NetFilter- IPv4 / ip_conntrack * .h. The default value of IP, TCP, UDP, and ICMP protocol is defined in Linux / Include / NetFilter- IPv4 / IP_ConNTrack.h. The specific values can view the corresponding protocol, but we don't use them here because they are only used inside the Conntrack. As the state changes, the survival time will also change. Note has a new patch in Patch-O-Matic, which can be used as system variables as the timeout mentioned above, so that we can change their values when the system is idle. In the future, we don't have to compile the kernel in order to change these values. These can vary from some special system calls under / proc / sys / net / ipv4 / netfilter. Take a closer look at the variables in / proc / sys / net / ipv4 / netfilter / ip_ct_ *. When a connection is transmitted in both directions, the ConNTrack record deletes the [Unreplied] flag and resets. Records of [Assured] at the end Description Two directions have no traffic. Such records are determined, and when the connection tracking is full, it is not deleted, and the recording without [assoced] is to be deleted. Connection tracking table energy accommodation is controlled by a variable, which can be set by IP-Sysctl function in the kernel. The default value depends on your memory size, 128MB can contain 8192 catalogs, 256MB is 16376. You can also view, setup in / proc / sys / net / ipv4 / ip_conntrack_max. 4.3. The state of the packet is different from the state of the user space, the state of the package is different depending on the protocols contained in IP, but outside the kernel, that is, only 4 states: new, established, related and INVALID. They are mainly used with status matching. The following statements are briefly introduced: Table 4-1. Packets in user space State State (Status) Explanation (Note) NEW Note This package is the first package we have seen. Means, this is a connection first package that the Concentrack module sees, which is about to be matched. For example, we see a SYN package, which is the first package we pay attention to, just match it. The first package may not be an SYN package, but it will still be considered a new state. Doing so sometimes leads to some problems, but it is very helpful for some situations. For example, when we want to restore a connection from another firewall, or a connection has timeout, but it is actually not closed.
ESTABLISHED ESTABLISHED has noticed data transfer in both directions, and will continue to match this connection package. Connections in the Established state are very easy to understand. Just send and receive a response, the connection is Establish. A connection is going to be Established from the New, just need to receive a response package, whether this package is sent to the firewall, or by firewall forward. ICMP errors and redirects and other packets are also seen as Established, as long as they are the response of our information. Related related is a more troublesome state. When a connection is a connection and a connection that is already in the ESTABLISHED state, it is considered to be related. In other words, if a connection wants to be related, you must first have an ESTABLISHED connection. This ESTABLISHED connection generates a connection other than the main connection. This new connection is Related, of course, the connTrack module can understand the Related. FTP is a good example, FTP-DATA connection is RELATED with FTP-Control. There are other examples, such as DCC connection through IRC. With this state, ICMP response, FTP transmission, DCC, etc. can only work through the firewall. Note that most of the UDP protocols rely on this mechanism. These protocols are very complicated, they put the connection information in the packet and require that this information can be correctly understood. Invalid INVALID Description Packet cannot be identified which connection or no status. Several reasons can be produced, for example, memory overflow, received ICMP error messages that do not know which connection belongs to. Generally, our Drop is in this state. These states can be used together in order to match the packet. This makes our firewall very strong and effective. Previously, we often open all ports of 1024 or more to release the data of the response. Now, there is a state mechanism, you don't have to do this again. Because we can only open those ports with answering data, others can close. This is much safe. 4.4. TCP Connect this section and the following sections, let's discuss these states in detail, and how to operate them in three basic protocols in TCP, UDP, and ICMP. Of course, other protocols will also be discussed. We still start from TCP because it is a stateful protocol and has a lot of details about the IPTables state mechanism. A TCP connection is established by three handshake negotiation connection information. The entire session started by a SYN package, then a SYN / ACK package, and finally an ACK package. At this time, the session is successful, and data can be sent. The biggest problem is how the connection tracks control this process. In fact, it is very simple. By default, the connection tracking is basically the same operation on all connection types. Take a look at the pictures below, we can understand what the stream is in the different stages of the connection. As you can see, the code for connection tracking is not from the user's point of view, and the TCP connection is established. Connection tracking When you see the SYN package, you think this connection is a New state. When you see the returned SYN / ACK package, it is considered that the connection is an ESTABLISHED state. If you think about the second step, you should understand why. With this special treatment, the New and Established packages can send local networks, and only the Established connection can have response information. If the data packets transmitted throughout the connection is as New, then the bags used in three handshakes are New Status, so that we cannot block the connection from the outside to the local network.
Because even if the connection is inward from the outside, it is also the new state, and for other connections, we have to allow the new state to return and enter the firewall. More complicated is that many internal states are used for TCP connection kernels, and they are defined in 21-23 pages of RFC 793 - Transmission Control Protocol. But it is good to be in the user's space. Behind we will introduce these content in detail. As you can see, it is very simple to see by the user's point of view. However, this block is still difficult to see from the perspective of the kernel. Let's take a look at an example. Consider how to change the status of the connection in / proc / net / ip_conntrack. TCP 6 117 SYN_SENT SRC = 192.168.1.5 DST = 192.168.1.35 Sport = 1031 / DPORT = 23 [Unreplied] src = 192.168.1.5 Sport = 192.168.1.5 Sport = 23 / DPORT = 1031 USE = 1 From the above record Out, SYN_SENT status is set, this shows that the connection has already issued a SYN package, but the response has not been sent, which can be seen from the [Unreplied] flag. TCP 6 57 SYN_RECV SRC = 192.168.1.5 DST = 192.168.1.35 Sport = 1031 / DPORT = 23 SRC = 192.168.1.5 DST = 192.168.1.5 Sport = 23 DPORT = 1031 / Use = 1 Now we have received the corresponding SYN / The ACK package, the state also changes to SYN_RECV, which indicates that the original SYN package has been transmitted correctly, and the SYN / ACK package also reaches the firewall. This means that there are data transmission in both parties to connect, so it can be considered that there is a corresponding response in both directions. Of course, this is assumed. TCP 6 431999 ESTABLISHED SRC = 192.168.1.5 DST = 192.168.1.35 / Sport = 1031 DPORT = 23 SRC = 192.168.1.5 / Sport = 192.168.1.5 / Sport = 23 DPORT = 1031 USE = 1 Now we send three steps to handshake A package, an ACK package, and the connection will enter the Established state. Transfer a few packets, the connection is [assoced]. The following describes the status of the TCP connection during the closing process. As shown above, the connection (referring to two directions) is not closed before issuing the last ACK package. Note that this is only for a general situation. Connections can also be closed by sending, which is used when rejecting a connection. After the RST package is sent, the connection can be broken after a predetermined period of time. After the connection is closed, enter the TIME_WAIT state, the default time is 2 minutes. The reason why this time is to allow the data package to be inspected through various rules, but also to the destination by a crowded router. If the connection is reset by the RST package, it will change directly to Close. This means that only 10 seconds of default time before turning off. The RST package does not need to be confirmed, it will close the connection directly. For TCP connections, there are other states we have not talked. The full status list and timeout value are given below.
