conntrack

List all currently tracked connections

$ conntrack [[-L|--dump]]

$ conntrack [[-E|--event]]

$ conntrack [[-E|--event]] [[-o|--output]] timestamp

$ conntrack [[-E|--event]] [[-s|--orig-src]] [ip_address]

$ conntrack [[-D|--delete]] [[-s|--orig-src]] [ip_address]

conntrack { list | dump | delete | flush | event | expect | count | stats | help | version } [options] [arguments]

conntrack list [-s src_ip] [-d dst_ip] [-p proto] [-o output_opts]
conntrack delete -s src_ip -d dst_ip -p proto [--sport src_port] [--dport dst_port]
conntrack flush
conntrack event [-o output_opts]

"list"
    Displays all currently tracked connections. Also available as "dump" or shorthand "-L".

"delete"
    Deletes connection tracking entries matching specified criteria. Shorthand "-D".

"flush"
    Deletes all connection tracking entries from the table. Shorthand "-F". Use with caution!

"event"
    Monitors and displays real-time connection tracking events as they occur (e.g., new connections, state changes, destruction). Shorthand "-E".

"expect"
    Manages connection expectation entries, which are used by Netfilter helpers (ALGs) for complex protocols like FTP or SIP. Shorthand "-X".

"count"
    Displays the current number of tracked connections. Shorthand "-C".

"stats"
    Shows statistics about connection tracking operations (e.g., inserts, deletes, searches). Shorthand "-S".

"-s "
    Filters connections by source IP address. Also `--src `.

"-d "
    Filters connections by destination IP address. Also `--dst `.

"-p "
    Filters connections by protocol (e.g., tcp, udp, icmp, sctp). Also `--proto `.

"--sport "
    Filters connections by source port number.

"--dport "
    Filters connections by destination port number.

"-o "
    Specifies output format options (e.g., xml, timestamp, id, mark). Also `--output `.

"-n"
    Displays numerical IP addresses and port numbers instead of resolving names. Also `--numeric`.

The conntrack command-line utility is a user-space tool that interacts with the Netfilter connection tracking system, a core component of the Linux kernel's networking stack. This system tracks the state of all network connections (TCP, UDP, ICMP, etc.) passing through the firewall.

Connection tracking is fundamental for stateful packet inspection, enabling firewalls (like those configured via iptables or nftables) to make intelligent decisions based on the context of a connection rather than just individual packets. It's also vital for Network Address Translation (NAT) operations, allowing the kernel to correctly route return traffic for masqueraded or port-forwarded connections.

With conntrack, administrators can view detailed information about active connections, including source and destination IP addresses and ports, protocol, state (e.g., ESTABLISHED, TIME_WAIT), timeouts, and NAT specifics. Beyond mere inspection, it provides capabilities to add, delete, or flush connection tracking entries, offering granular control over the firewall's state table. It's an invaluable tool for network diagnostics, troubleshooting connectivity issues, and managing firewall performance.

• Root Privileges: Most operations, especially modifying or flushing entries, require root privileges. Listing connections generally also requires root or CAP_NET_ADMIN capabilities.
• Kernel Module: The nf_conntrack kernel module (and potentially protocol-specific modules like nf_conntrack_tcp) must be loaded for conntrack to function.
• Performance Impact: On systems with extremely high connection rates, running conntrack list can be resource-intensive and might impact system performance due to the large amount of data being processed.
• Data Volatility: Connection tracking entries are dynamic. Deleting entries carelessly can disrupt active network sessions (e.g., dropping SSH connections or file transfers).
• Verbose Output: The default output for listing connections can be very verbose. It's often necessary to pipe the output to tools like grep or less for easier analysis.

Connection tracking assigns states to network connections. For TCP, common states include:
NEW: The first packet of a connection.
ESTABLISHED: Normal data transfer state.
RELATED: A new connection related to an existing one (e.g., FTP data channel).
INVALID: Packet does not belong to any known connection.
UNTRACKED: Packet explicitly configured not to be tracked.
TIME_WAIT / CLOSE_WAIT: States after connection termination, indicating resources are being held before full closure.
These states are crucial for understanding firewall behavior and troubleshooting.

Several kernel parameters can be tuned via sysctl to control connection tracking behavior and resource usage:
net.netfilter.nf_conntrack_max: The maximum number of connections that can be tracked concurrently. Increasing this is often necessary for high-load servers.
net.netfilter.nf_conntrack_tcp_timeout_established: Timeout for established TCP connections (default is often 5 days).
net.netfilter.nf_conntrack_generic_timeout: Default timeout for protocols without specific handlers.
Adjusting these can significantly impact network performance and stability, especially under DDoS attacks or high legitimate traffic.

The conntrack utility is an integral part of the Netfilter project, a framework within the Linux kernel that provides various network packet manipulation functions, including connection tracking. It was developed alongside the iptables firewall utility, providing a user-space interface to the kernel's nf_conntrack module which was introduced to enable stateful firewalling and advanced NAT capabilities.

Its initial development aimed to give administrators visibility and control over the kernel's connection state table, a critical component for firewalls to understand the context of network traffic (e.g., whether a packet belongs to an existing connection or is part of a new one). Over time, as Netfilter evolved and the nftables framework emerged as the modern successor to iptables, the fundamental role of connection tracking remained unchanged, solidifying conntrack's importance as a diagnostic and management tool in Linux networking. Its design focuses on direct interaction with the kernel's conntrack table, providing a low-level but powerful interface.

iptables(8), nftables(8), sysctl(8), firewalld(1), ip(8)