Vyatta Suite200 1301ShorewayRoad Belmont,CA94002 vyatta.com 6504137200 1888VYATTA1(USandCanada) VYATTA,INC. |  VyattaSystem ConnectionManagement REFERENCEGUIDE ConnectionTracking FlowAccounting COPYRIGHT Copyright©2005–2012Vyatta,Inc.Allrightsreserved. Vyattareservestherighttomakechangestosoftware,hardware,anddocumentationwithoutnotice.Forthemostrecentversionof documentation,visittheVyattawebsiteatvyatta.com. PROPRIETARYNOTICES VyattaisaregisteredtrademarkofVyatta,Inc. Hyper‐VisaregisteredtrademarkofMicrosoftCorporation. VMware,VMwareESX,andVMwareserveraretrademarksofVMware,Inc. XenServer,andXenCenteraretrademarksofCitrixSystems,Inc. Allothertrademarksarethepropertyoftheirrespectiveowners. RELEASEDATE:October2012 DOCUMENTREVISION.6.5R1 v01 RELEASEDWITH:6.5.0R1 PARTNO.A0‐0245‐10‐0004 iii ConnectionManagement 6.5R1v01 Vyatta Contents QuickListofCommands......................................................... v ListofExamples ............................................................... vii Preface. ....................................................................viii IntendedAudience ............... ................................................................ix OrganizationofThisGuide ................. .................................... ................. .. .ix DocumentConventions .......................................... .................................ix VyattaPublicati ons............... ............... ................... ...............................x Chapter1ConnectionTracking................................................... 1 ConnectionTrackingOverview............................. .........................................2 Logging............................ ................................. .................... ....2 ConnectionTrackingTableComponents ........................................ ............... ...3 TheConnectionTrackingTable ..................... ........ .................................3 TheConnectionTrackingHashTable............ ............... ................... ...........3 TheConnectionTrackingExpectTable. ............... ........................................3 TheConnectionTrackingExpectHashTable................................... ..... ...........4 TuningConnectionTracking... ................... .............. ................................4 SettingTime‐OutsforConnections .. ........... ................................. ................5 Connection TrackingCommands.............................. ......................................6 deleteconntracktable............................ ............... ................... ...........8 resetconntrack ... ............... ................... ................. .......................11 showconntracktable ........................ ................................. ...............12 systemconntrack expect‐table‐size<size>....................................... ................15 systemconntrackhash‐size<size> ................................. .... ............... ..........17 systemconntracklogicmp..................... ............... ................... .............19 systemconntracklog other....................................... .. ................. ..........21 systemconntracklogtcp.............................. ................................. .......23 systemconntracklogudp ....... ................................. .............................26 systemconntrackmodulesftp.. ................................ ............... ................28 systemconntrackmodulesgre................ ............... ................... ...............29 system conntrackmodulesh323.......................... .....................................31 systemconntrackmodulesnfs ................................ ................................. 33 systemconntrackmodulespptp ....... ...... ..................................................35 systemconntrackmodulessip...... ................... ................... .. ...................37 systemconntrackmodulessqlnet ................... ........ ...................................39  iv ConnectionManagement 6.5R1v01 Vyatta systemconntrackmodulestftp ................................................................41 systemconntracktable‐size<size> ........... ................. ................................. 43 systemconntracktcploose<state>............. ................................. ...............45 systemconntrack timeoutcustom ........... ................... ................................47 systemconntracktimeouticmp .................................. ............... ...............51 systemconntracktimeoutother ................ ............... ................... .............53 systemconntracktimeout tcp .................................... .............................55 systemconntracktimeoutudp............ .................... ................................. 57 Chapter2FlowAccounting ..................................................... 59 FlowAccountingConfiguration .................... ................... .............................60 FlowAccountingOverview........................... ................................. ........60 ConfiguringanInterfaceforFlowAccounting.... ................................. ................60 Displaying FlowAccountingInformation .........................................................61 ExportingFlowAccountinginformation ......................... ............ ............... .....62 FlowAccountingCommands .............. ............. ...........................................63 clearflow‐accountingcounters ... ................................ .. ................. ..........65 restartflow‐accounting ...................................... ................................. 66 showflow‐accounting.............. ..........................................................67 showflow‐accountinginterface<interface>...................................... ................68 systemflow‐accountinginterface<interface> ............................. ............... ........69 systemflow‐accountingnetflowengine‐id<id> ..................... ............... ...............71 systemflow‐accountingnetflowsampling‐rate<rate> ............. ................................72 systemflow‐accountingnetflowserver<ipv4>............. ............... ................... .....74 systemflow‐accountingnetflowtimeoutexpiry‐interval<interval> ... ............... ................76 systemflow‐accountingnetflowtimeoutflow‐generic<timeout> ............ ........................78 systemflow‐accountingnetflowtimeouticmp<timeout> .. ................. ............... ........80 systemflow‐accountingnetflowtimeoutmax‐active‐life<life> ......... .......... ...................82 systemflow‐accountingnetflowtimeouttcp‐fin<timeout> .................... .... ............... ..84 systemflow‐accountingnetflowtimeouttcp‐generic<timeout> .................. ........ ...........86 systemflow‐accountingnetflowtimeouttcp‐rst<timeout> ................................ .........88 systemflow‐accountingnetflowtimeoutudp<timeout>.................................. .........90 systemflow‐accountingnetflowversion<version>. .................................. .............92 systemflow‐accountingsflowagent‐address<addr> ......................... ..... ................94 systemflow‐accountingsflowsampling‐rate<rate> ........................... ............... .....96 systemflow‐accountingsflowserver<ipv4>.........................  .............................98 systemflow‐accountingsyslog‐facility<facility> ............... ..................................100 GlossaryofAcronyms......................................................... 102 v ConnectionManagement 6.5R1v01 Vyatta QuickListofCommands Use this list to help you quickly locate commands. clearflow‐accountingcounters............................. .................... ................ ...65 deleteconntracktable .......................... ................................. .................8 resetconntrack.......................... .. .................... ............... ..................11 restartflow‐accounting.... ........... ............... ................... ..........................66 showconntracktable...................................... ......................................12 showflow‐accountinginterface<interface> ....... ..................................................68 showflow‐accounting............. ................................... ............... .............67 systemconntrackexpect‐table‐size<size> ................. ............... ................... ........15 systemconntrackhash‐size<size> ... ............... ...............................................17 systemconntracklogicmp ................. .. ................. ................................. ...19 systemconntracklogother .......... .............................................................21 systemconntracklogtcp ................................... ............... .......................23 systemconntracklogudp......... ................................................................26 systemconntrackmodulesftp .................................. ...................................28 systemconntrackmodulesgre ........... ................................. ........................29 systemconntrackmodulesh323 ...................... .................. ...........................31 systemconntrackmodulesnfs.................... ............... ................... ...............33 system conntrackmodulespptp ...... ................... ..........................................35 systemconntrackmodulessip ............................ ................................. ........37 systemconntrackmodulessqlnet..... .............................................................39 systemconntrackmodulestftp.......................... .. ....... ............... ..................41 systemconntracktable‐size<size>............ ................................ .. ................. ..43 systemconntracktcploose<state>.......................... .................. .....................45 systemconntracktimeoutcustom ......................... ................................. .......47 systemconntracktimeouticmp....... .............................................................51 systemconntracktimeoutother......... .......................... ................................53 systemconntracktimeouttcp.............. ............... ................... .....................55 systemconntracktimeoutudp ................................. ......... ..........................57 systemflow‐accountinginterface<interface>................... .....................................69 systemflow‐accountingnetflowengine‐id<id>....... ................................. ...............71 systemflow ‐accountingnetflowsampling‐rate<rate>................. ................................72 systemflow‐accountingnetflowserver<ipv4> ........................................ ............... 74  vi ConnectionManagement 6.5R1v01 Vyatta systemflow‐accountingnetflowtimeoutexpiry‐interval<interval>.................................... ..76 systemflow‐accountingnetflow timeoutflow‐generic<timeout>........ ................................78 systemflow‐accountingnetflowtimeouticmp<timeout> ............... ...............................80 systemflow‐accountingnetflow timeoutmax‐active‐life<life> ............................. .............82 systemflow‐accountingnetflow timeouttcp‐fin<timeout>........................... ..................84 systemflow‐ accountingnetflowtimeouttcp‐generic<timeout>.......................... ...............86 systemflow‐accountingnetflow timeouttcp‐rst<timeout>.................................. ...........88 systemflow‐ accountingnetflowtimeoutudp<timeout> ...............................................90 systemflow‐accountingnetflowversion<version> ............................................. .......92 systemflow‐accountingsflowagent‐address<addr> .................................... ..............94 systemflow‐accountingsflowsampling‐rate<rate>............................. ......................96 systemflow‐accountingsflowserver<ipv4> .................. .... ................................. ..98 systemflow‐accountingsyslog‐facility<facility> ... ...... ............................................100 vii ConnectionManagement 6.5R1v01 Vyatta ListofExamples Use this list to help you locate examples you’d like to look at or try. Example1‐1“deleteconntracktableipv4”sampleoutput....... .. ....................................10 Example1‐2“showconntracktableipv4”sampleoutput... ................... ................... .....13 Example1‐4SampleconntracklogmessagesfortheICMPprotocol....................... ............. .20 Example1‐5Sampleconntracklogmessagesforotherprotocols.................... ................... .22 Example 1‐6SampleconntracklogmessagesfortheICMPprotocol.... ................... ..............25 Example1‐7Sampleconntracklog messagesfortheICMPprotocol.....................................27 viii ConnectionManagement 6.5R1v01 Vyatta Preface This document describes the various deployment, installation, and upgrade options for Vyatta software. This preface provides information about using this guide. The following topics are presented: • Intended Audience • Organization of This Guide • Document Conventions • Vyatta Publications  IntendedAudience ix ConnectionManagement 6.5R1v01 Vyatta IntendedAudience This guide is intended for experienced system and network administrators. Depending on the functionality to be used, readers should have specific knowledge in the following areas: • Networking and data communications • TCP/IP protocols • General router configuration • Routing protocols • Network administration • Network security • IP services OrganizationofThisGuide This guide has the following aid to help you find the information you are looking for: • Quick List of Commands Use this list to help you quickly locate commands. • List of Examples Use this list to help you locate examples you’d like to try or look at. This guide has the following chapters: DocumentConventions This guide uses the following advisory paragraphs, as follows. Chapter Description Page Chapter 1:ConnectionTracking Thischapterexplainsconnectiontrackingin theVyattasystem. 1 Chapter 2:FlowAccounting Thischapterexplainshowtoconfigureflow accountingusingtheVyattasystem. 59 GlossaryofAcronyms 102  VyattaPublications x ConnectionManagement 6.5R1v01 Vyatta NOTENotesprovideinformationyoumightneedtoavoidproblemsorconfigurationerrors. This document uses the following typographic conventions. VyattaPublications Full product documentation is provided in the Vyatta technical library. To see what documentation is available for your release, see the Guide to Vyatta Documentation. This guide is posted with every release of Vyatta software and provides a great starting point for finding the information you need. Additional information is available on www.vyatta.com and www.vyatta.org. WARNINGWarningsalertyoutosituationsthatmayposeathreattopersonalsafety. CAUTIONCautionsalertyoutosituationsthatmightcauseharmtoyoursystemordamageto equipment,orthatmayaffectservice. Monospace Examples, command-line output, and representations of configuration nodes. boldMonospace Your input: something you type at a command line. bold Commands, keywords, and file names, when mentioned inline. Objects in the user interface, such as tabs, buttons, screens, and panes. italics An argument or variable where you supply a value. <key> A key on your keyboard, such as <Enter>. Combinations of keys are joined by plus signs (“+”), as in <Ctrl>+c. [ key1 | key2] Enumerated options for completing a syntax. An example is [enable | disable]. num1–numN A inclusive range of numbers. An example is 1–65535, which means 1 through 65535, inclusive. arg1 argN A range of enumerated values. An example is eth0 eth3, which means eth0, eth1, eth2, or eth3. arg[ arg ] arg[,arg ] A value that can optionally represent a list of elements (a space-separated list and a comma-separated list, respectively). [...]... Example 1‐3   “show conntrack table ipv6” sample output vyatta@ vyatta:~$ show conntrack table ipv6 source 0:0:0:0:0:0:0:0 destination  [0:0:0:0:0:0:0:0]:22 CONN ID Source Destination Protocol 381 862 6200 [10FB:0:0:0:C:ABC:1F0C:44DA]:1140 [10FB:0:0:0:C:ABC:1F0C:45AD]:22 tcp  [6] 381 867 2537 [10FB:0:0:0:C:ABC:1F0C:55CB]:2020 [2001:cdba:0:0:0:0:3257: 965 2]:22 tcp  [6] Connection Management 6. 5R1 v01 Vyatta Chapter 1: Connection Tracking ... Dec 21 22:25:31 vyatta log‐conntrack: [NEW] gre 47 30 src=192. 169 .100.75  dst=192. 168 .100.75 srckey=0x0 dstkey=0x0 [UNREPLIED] src=192. 168 .100.75  dst=192. 169 .100.75 srckey=0x0 dstkey=0x0 id=3998350488 Dec 21 22:38: 06 vyatta log‐conntrack: [UPDATE] gre 47 179  src=192. 169 .100.1 dst=192. 168 .100.1 srckey=0x0 dstkey=0x0  src=192. 168 .100.1 dst=192. 169 .100.1 srckey=0x0 dstkey=0x0 [ASSURED]  id=39985783 76 Dec 21 22:39:50 vyatta log‐conntrack: [DESTROY] gre 47 src=192. 169 .100.17 ... Example 1‐2   “show conntrack table ipv4” sample output vyatta@ vyatta:~$ show conntrack table ipv4 source 0.0.0.0 destination  0.0.0.0:22 TCP state codes: SS ‐ SYN SENT, SR ‐ SYN RECEIVED, ES ‐ ESTABLISHED,                   FW ‐ FIN WAIT, CW‐ CLOSE WAIT, LA ‐ LAST ACK,                   TW ‐ TIME WAIT, CLOSE ‐ CL, LISTEN ‐ LI CONN ID Source 381 862 6200 192. 168 .74.1:1140 381 862 5704 192. 168 .74.1:1145 Connection Management 6. 5R1 v01 Destination 192. 168 .74.128:22...   Connection Management Vyatta Publications xi 6. 5R1 v01 Vyatta 1 Chapter 1: Connection Tracking This chapter explains connection tracking in the Vyatta system This chapter presents the following topics: • Connection Tracking Overview • Connection Tracking Commands Connection Management 6. 5R1 v01 Vyatta Chapter 1: Connection Tracking  Connection Tracking Overview... Example 1‐1   “delete conntrack table ipv4” sample output vyatta@ vyatta:~$ delete conntrack table ipv4 source 192. 168 .1.21 Deleting the following conntrack table entries: CONN ID    Source                 Destination            Protocol 3427 168 752 192. 168 .1.21:52250     192. 168 .1.81:22        tcp  [6] Connection Management 6. 5R1 v01 Vyatta Chapter 1: Connection Tracking  Connection Tracking Commands 11 reset conntrack Completely... two tables closer than 1:1 (for example, if the connection tracking table is set to 65 ,5 36 then the maximum hash table size should not be greater than 65 ,5 36 as well) Connection Management 6. 5R1 v01 Vyatta Chapter 1: Connection Tracking  • Connection Tracking Overview 5 The maximum advisable table size is 2^20 (10485 76) entries The memory is allocated from the kernel memory space, which will not exceed... src=192. 168 .100.1 dst=192. 169 .100.1 srckey=0x0 dstkey=0x0 [ASSURED]  id=39985783 76 Dec 21 22:39:50 vyatta log‐conntrack: [DESTROY] gre 47 src=192. 169 .100.17  dst=192. 168 .100.17 srckey=0x0 dstkey=0x0 src=192. 168 .100.17  dst=192. 169 .100.17 srckey=0x0 dstkey=0x0 [ASSURED] id=4080054272 Connection Management 6. 5R1 v01 Vyatta Chapter 1: Connection Tracking  Connection Tracking Commands 23 system conntrack log tcp ... Oct 20 17:49:04 Test5 log‐conntrack: [UPDATE] tcp 6 120 TIME_WAIT  src=192. 168 .249.10 dst=74.125.224.151 sport=39082 dport=80  src=74.125.224.151 dst=10.3.0.183 sport=80 dport=39082 [ASSURED]  id=397384 263 2 Oct 20 17:51:04 Test5 log‐conntrack: [DESTROY] tcp 6 src=192. 168 .249.10  dst=74.125.224.151 sport=39082 dport=80 src=74.125.224.151 dst=10.3.0.183  sport=80 dport=39082 [ASSURED] id=397384 263 2  Connection Management 6. 5R1 v01 Vyatta ... Connection Management 6. 5R1 v01 Vyatta Chapter 1: Connection Tracking  Connection Tracking Commands 8 delete conntrack table  Deletes connection tracking table entries Syntax delete conntrack table {ipv4 | ipv6} [source src-addr [destination dst-addr]] [quiet] Command Mode Operational mode Parameters ipv4 Delete IPv4 conntrack table entries Either ipv4 or ipv6 must be specified ipv6 Delete IPv6 conntrack table... 192. 168 .74.1:1145 Connection Management 6. 5R1 v01 Destination 192. 168 .74.128:22 192. 168 .74.200:22 Protocol tcp  [6] ES tcp  [6] ES TIMEOUT 429809 431878  Vyatta Chapter 1: Connection Tracking  Connection Tracking Commands 14 381 862 42 16 10.3.0.182:1151 10.3.0.15:22 tcp  [6] TW 90 Example 1-3 shows the output of the show conntrack table ipv6 command In this case the command displays all connections where the destination . VyattaSystem ConnectionManagement REFERENCEGUIDE ConnectionTracking FlowAccounting COPYRIGHT Copyright©2005–2012Vyatta,Inc.Allrightsreserved. Vyattareservestherighttomakechangestosoftware,hardware,anddocumentationwithoutnotice.Forthemostrecentversionof documentation,visittheVyattawebsiteatvyatta.com. PROPRIETARYNOTICES VyattaisaregisteredtrademarkofVyatta,Inc. Hyper‐VisaregisteredtrademarkofMicrosoftCorporation. VMware,VMwareESX,andVMwareserveraretrademarksofVMware,Inc. XenServer,andXenCenteraretrademarksofCitrixSystems,Inc. Allothertrademarksarethepropertyoftheirrespectiveowners. RELEASEDATE:October2012 DOCUMENTREVISION. 6. 5R1 v01 RELEASEDWITH: 6. 5.0R1 PARTNO.A0‐0245‐10‐0004 iii ConnectionManagement 6. 5R1 v01 Vyatta Contents QuickListofCommands........................................................ set to 65 ,5 36 then the maximum hash table size should not be greater than 65 ,5 36 as well). Chapter1:ConnectionTracking ConnectionTrackingOverview 5 ConnectionManagement 6. 5R1 v01 Vyatta •. comma-separated list, respectively).  VyattaPublications xi ConnectionManagement 6. 5R1 v01 Vyatta 1 ConnectionManagement 6. 5R1 v01 Vyatta Chapter1:ConnectionTracking This chapter explains connection