RE: conntrack and ICMP echo replies not showing as ESTABLISHED

[André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@xxxxxxxx>]

As far as I can tell - ESTABLISHED - is only for session based protocols like TCP .
You will not see that for UDP or ICMP , as far as CONNTRACK is concerned .

IN the ruleset it will fall under the STATE of ESTABLISHED , as IPTABLES understands that this is direct return traffic .
However , like UDP it has no real "IP state" outside of IPTABLES and my guess this is why it not refered to in that state in CONNTRACK .


Best regards
André Paulsberg-Csibi
Senior Network Engineer 
IBM Services AS

-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Oliver O'Boyle
Sent: Tuesday, January 2, 2018 10:05 PM
To: netfilter@xxxxxxxxxxxxxxx
Subject: conntrack and ICMP echo replies not showing as ESTABLISHED

Hi,

Running on Ubuntu 16.04LTS with a fairly basic iptables config (see below).

I'm sure I'm missing something obvious but I am not seeing echo replies showing as ESTABLISHED when running:

sudo conntrack -E

I see this:

[NEW] icmp     1 30 src=192.168.144.164 dst=192.168.144.254 type=8
code=0 id=1 [UNREPLIED] src=192.168.144.254 dst=192.168.144.164 type=0
code=0 id=1
[UPDATE] icmp     1 30 src=192.168.144.164 dst=192.168.144.254 type=8
code=0 id=1 src=192.168.144.254 dst=192.168.144.164 type=0 code=0 id=1

But I expected to see something more like line 3 where it shows the connection is ESTABLISHED:

[NEW] tcp      6 120 SYN_SENT src=192.168.144.164 dst=52.12.252.111
sport=10032 dport=443 [UNREPLIED] src=52.72.252.111 dst=216.46.2.101
sport=443 dport=10032
[UPDATE] tcp      6 60 SYN_RECV src=192.168.144.164 dst=52.12.252.111
sport=10032 dport=443 src=52.72.252.111 dst=216.46.2.101 sport=443
dport=10032
[UPDATE] tcp      6 432000 ESTABLISHED src=192.168.144.164
dst=52.12.252.111 sport=10032 dport=443 src=52.72.252.111
dst=216.46.2.101 sport=443 dport=10032 [ASSURED]


I'm new to netfilter/iptables so I may be missing something or may just be expecting something that doesn't happen.

Can someone point me in the right direction, please?

Thanks for the help!

O.

FILTER TABLE:

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1      162  9900 ACCEPT     all  --  any    any     anywhere
  anywhere             ctstate RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  lo     any     anywhere
  anywhere             ctstate NEW
3        2   120 ACCEPT     icmp --  any    any     anywhere
  anywhere             ctstate NEW
4        0     0 ACCEPT     tcp  --  ens192 any     anywhere
  anywhere             tcp dpt:ssh
5       51  4426 LOG        all  --  any    any     anywhere
  anywhere             limit: avg 5/min burst 5 LOG level debug prefix
"iptables denied: "
6     1986  226K DROP       all  --  any    any     anywhere
  anywhere

Chain FORWARD (policy ACCEPT 2 packets, 80 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1     3359 1788K ACCEPT     all  --  ens160 ens192  anywhere
  anywhere             ctstate RELATED,ESTABLISHED
2     4887  896K ACCEPT     all  --  ens192 ens160  anywhere
  anywhere             ctstate NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 214 packets, 41776 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1       13   780 ACCEPT     icmp --  any    any     anywhere
  anywhere             ctstate NEW,RELATED,ESTABLISHED

NAT TABLE:

Chain PREROUTING (policy ACCEPT 2587 packets, 269K bytes)
num   pkts bytes target     prot opt in     out     source
  destination

Chain INPUT (policy ACCEPT 2 packets, 120 bytes)
num   pkts bytes target     prot opt in     out     source
  destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1      429 22583 MASQUERADE  all  --  any    ens160  anywhere
   anywhere
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at  https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvger.kernel.org%2Fmajordomo-info.html&data=02%7C01%7C%7Ccb9c5741e81048a958b508d55224923c%7C40cc2915e2834a2794716bdd7ca4c6e1%7C1%7C0%7C636505239381260666&sdata=OcUhnFtFPurBJphvLKbaxe5fVENe5Fs8eSxUtbfKGuY%3D&reserved=0
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥