实际案例:在一台安装了openwrt的路由器上,使用ssh访问互联网中的一台防火墙:221.xxx.xxx.190,如何在openwrt中查看connection state

  1. /proc/net/nf_conntrack

    cat /proc/net/nf_conntrack | grep 221.xxx.xxx.190
    openwrt用/proc/net/nf_conntrack取代了/proc/net/ip_conntrack
  2. conntrack-tools

    • 安装软件包

      opkg install conntrack-tools
    • 查看命令

      # conntrack -L -d 221.xxx.xxx.190
      tcp      6 3597 ESTABLISHED src=192.168.44.3 dst=221.xxx.xxx.190 sport=45442 dport=22 packets=523 bytes=31905 src=221.xxx.xxx.190 dst=183.254.47.33 sport=22 dport=45442 packets=514 bytes=101605 [ASSURED] mark=0 use=1
      udp      17 172 src=192.168.44.3 dst=221.xxx.xxx.190 sport=51128 dport=1194 packets=647 bytes=65257 src=221.xxx.xxx.190 dst=183.254.47.33 sport=1194 dport=51128 packets=526 bytes=46180 [ASSURED] mark=0 use=1
      conntrack v1.0.0 (conntrack-tools): 2 flow entries have been shown.
  3. netstat-nat

    这个工具也是通过/proc/net/ip_conntrack或/proc/net/nf_conntrack来查看nat state的。

    netstat-nat -n -d 221.xxx.xxx.190
    Proto NATed Address                  Destination Address            State
    tcp   192.168.44.3:45442             221.xxx.xxx.190:22             ESTABLISHED