1. Introduction
The `nf_conntrack` table is an essential component of Linux’s netfilter framework, tracking active network connections. Monitoring this table helps identify suspicious activities, such as DDoS attacks or high connection loads from specific IPs. The `conntrack` utility allows for managing and troubleshooting network connections.
This guide will cover how to: – Install `conntrack`
– Monitor `nf_conntrack` for suspicious connections
– Use CSF (ConfigServer Security & Firewall) to block malicious IPs
– Automate monitoring with scripts
2. Installing conntrack
To use `conntrack`, install it using the package manager for your Linux distribution.
Ubuntu/Debian
sudo apt update && sudo apt install conntrack -yRHEL/CentOS/Fedora
sudo dnf install conntrack-tools -y # Fedora, CentOS 8+, RHEL 8+
sudo yum install conntrack-tools -y # CentOS 7, RHEL 7Verify Installation
conntrack --version3. Monitoring nf_conntrack Table
### Check Active Connections
sudo conntrack -L | wc -l
### List connections from a specific source IP
conntrack -L -s 192.168.1.100
### List connections to a specific destination IP
conntrack -L -d 8.8.8.8
### List TCP connections
conntrack -L -p tcp
### List connections using destination port 443
conntrack -L --dport 443
### Delete a specific connection
conntrack -D -s 192.168.1.100 -d 8.8.8.8 -p tcp --dport 443
### Flush all connection tracking entries
conntrack -F
### Check logs for conntrack events
dmesg | grep conntrack
journalctl -k | grep conntrack
### Log dropped connections
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j
LOG --log-prefix "CONNTRACK_DROP: "
sudo dmesg | grep CONNTRACK_DROP
### Continuously monitor conntrack count
watch -n 1 "conntrack -C"4. Blocking Suspicious IPs with CSF
csf -d 194.0.234.28 "Suspicious high conntrack activity" c
sf -d 193.46.255.34 "Suspicious high conntrack activity"5. Automating Blocking Based on nf_conntrack Data
Create a script to auto-block IPs exceeding 3000 connections.
nano /root/csf_conntrack_block.sh
#!/bin/bash THRESHOLD=3000
conntrack -L | awk '{print $5}' | cut -d'=' -f2 | sort | uniq -c '
| sort -nr | while read count ip; do
if [[ $count -gt $THRESHOLD ]]; then
echo "Blocking $ip with $count connections"
csf -d $ip "Too many connections (Conntrack)"
fi
doneMake it executable:
chmod +x /root/csf_conntrack_block.sh
Schedule it to Run Every 5 Minutes
crontab -e*/5 * * * * /root/csf_conntrack_block.sh >> /var/log/csf_conntrack.log 2>&1Logging Dropped Connections Due to nf_conntrack Limits
To log invalid or dropped connections:
iptables -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "CONNTRACK_DROP: "To view logged drops:
dmesg | grep CONNTRACK_DROPContinuously Monitor conntrack Count
watch -n 1 "conntrack -C"6. Conclusion
This guide provides a comprehensive method for monitoring and managing network connections using conntrack and CSF. Implementing these steps will enhance server security and help mitigate DDoS or malicious traffic.
