« conntrack provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel. Using conntrack , you can dump a list of all (or a filtered selection of) currently tracked connections, delete connections from the state table, and even add new ones.
[...]
TABLES
The connection tracking subsystem maintains two internal tables:
conntrack:
This is the default table. It contains a list of all currently
tracked connections through the system. If you don’t use
connection tracking exemptions (NOTRACK iptables target), this
means all connections that go through the system.
expect:
This is the table of expectations. Connection tracking
expectations are the mechanism used to "expect" RELATED
connections to existing ones. Expectations are generally used
by "connection tracking helpers" (sometimes called application
level gateways [ALGs]) for more complex protocols such as FTP,
SIP, H.323.
[...]
-L --dump
List connection tacking or expectation table
-C, --count
Show the table counter.
-S, --stats
Show the in-kernel connection tracking system statistics. »
Pour les états NAT :
« -n, --src-nat
Filter source NAT connections.
-g, --dst-nat
Filter destination NAT connections.
-j, --any-nat
Filter any NAT connections. »
L'erreur « Can't open /proc/sys/net/netfilter/nf_conntrack_count » signifie que le module « nf_conntrack » n'est pas chargé, probablement car vous n'avez aucune règle netfilter qui utilise les états/le suivi des connexions.
Tue Nov 11 03:01:05 2014 - permalink -
-
http://manpages.ubuntu.com/manpages/lucid/man8/conntrack.8.html