NFCT(8)NFCT(8)NAMEnfct - command line tool to interact with the connection tracking sys‐
tem
SYNOPSISnfct subsystem command [parameters]
DESCRIPTIONnfct is the command line tool that allows you Netfilter's manipulate
Connection Tracking System.
SUBSYS
By the time this manpage has been written, the supported subsystem are
timeout
timeout
The timeout subsystem allows you to define fine-grain timeout
policies.
version
Displays the version information.
help Displays the help message.
TIMEOUT SUBSYSTEM
list List the existing timeout policies.
add Add new timeout policy.
delete Delete timeout policy.
get Get existing timeout policy.
EXAMPLEnfct timeout add test-tcp inet tcp established 100 close 10 close_wait
10
This creates a timeout policy for tcp using 100 seconds for the ESTAB‐
LISHED state, 10 seconds for CLOSE state and 10 seconds for the
CLOSE_WAIT state.
Then, you can attach the timeout policy with the iptables CT target:
iptables -I PREROUTING -t raw -p tcp -j CT --timeout test-tcp
iptables -I OUTPUT -t raw -p tcp -j CT --timeout test-tcp
You can test that the timeout policy with:
conntrack -E -p tcp
It should display:
[UPDATE] tcp 6 100 ESTABLISHED src=192.168.39.100 dst=57.126.1.20
sport=56463 dport=80 src=57.126.1.20 dst=192.168.39.100 sport=80
dport=56463 [ASSURED]
SEE ALSOiptables(8),conntrack(8)BUGS
Please, report them to netfilter-devel@vger.kernel.org or file a bug in
Netfilter's bugzilla (https://bugzilla.netfilter.org).
AUTHORS
Pablo Neira Ayuso wrote and maintains the nfct tool.
Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
Feb 29, 2012 NFCT(8)