Man page - netstat-nat(1)

Packages contains this manual

Package:  netstat-nat
apt-get install netstat-nat

Manuals in package:
• netstat-nat(1)
Documentations in package:
• netstat-nat

Manual

---

NETSTAT-NAT (1) General Commands Manual NETSTAT-NAT (1)

NAME

netstat-nat — extract and filter NAT/firewall connection data

SYNOPSIS

netstat-nat [ -no ] [ -x | -X [ width ]] {

[
-G ] [
-S | -D ] }|[ -L | -R ] [
-s ource ]… [
-d estination ]… [
-g ateway ]… [
-p rotocol ]… [ -r {
src , dst , gate }{
, -port }| state ] [ nf_conntrack ]

DESCRIPTION

All network-enabled hosts track ongoing network connections, but this is especially true of stateful firewalls and gateways (routers) which perform network address translation. Under Linux, this information is accounted by the netfilter framework, tracking connectionless protocols (like udp (7), icmp (7)) in addition to the connection-based ones (like tcp (7)).

netstat-nat parses nf_conntrack ( /proc/net/nf_conntrack by default, or the standard input stream if " - "), filters it so it only has NAT connections (by default, cf. -LR ), looks up the canonical names for the hosts and ports (unless -n ), and presents it in a table:

Proto NATed Address Destination Address State
icmp 10.179.163.88 tarta.nabijaczleweli.xyz
icmp 10.200.233.12 tarta.nabijaczleweli.xyz
tcp 10.32.144.39.host.securi:63770 tarta.nabijaczleweli.xyz:https TIME_WAIT
tcp 10.32.144.39.host.securi:64361 tarta.nabijaczleweli.xyz:http TIME_WAIT
tcp 10.72.217.111:33864 tarta.nabijaczleweli.xyz:5900 TIME_WAIT
tcp 10.72.217.111:39074 tarta.nabijaczleweli.xyz:5900 TIME_WAIT
tcp nabijaczleweli.nabijaczl:20985 lb-10-268-216-78-iad.git:https ESTABLISHED
tcp nabijaczleweli.nabijaczl:21047 waw07s05-in-f4.1e100.net:http TIME_WAIT
tcp nabijaczleweli.nabijaczl:20751 waw07s05-in-f14.1e100.ne:https ESTABLISHED
tcp nabijaczleweli.nabijaczl:17906 101010.pl:https ESTABLISHED
tcp 192.168.1.136:38216 lt-in-f188.1e100.net:5228 ESTABLISHED
tcp 192.168.1.136:38330 lt-in-f188.1e100.net:5228 ESTABLISHED
tcp 192.168.1.136:39972 lt-in-f188.1e100.net:5228 ESTABLISHED
tcp 192.168.1.136:40092 lt-in-f188.1e100.net:5228 ESTABLISHED
udp rozbian.nabijaczleweli.x:46115 10.158.103.58:https ASSURED
udp rozbian.nabijaczleweli.x:42560 10.69.17.108:https ASSURED
udp rozbian.nabijaczleweli.x:44786 10.140.3.34:https ASSURED
udp rozbian.nabijaczleweli.x:47079 10.140.3.34:https UNREPLIED
udp 192.168.1.185:3076 ec2-10-213-30-29.eu-cent:https ASSURED
udp tarta.nabijaczleweli.xyz:39517 ns-153.awsdns-19.com:domain
udp tarta.nabijaczleweli.xyz:16829 ns-1007.awsdns-61.net:domain
udp tarta.nabijaczleweli.xyz:46874 ns-1411.awsdns-48.org:domain

herein we can see: two ongoing incoming ICMP queries (no state available); many remote hosts are calling tarta (and it is the one to hang up); local hosts nabijaczleweli and 192.168.1.136 are generally calling google; that the HTTP/3 revolution is real; and that tarta is querying some DNS servers (they didn’t reply yet).

The state column can be any of

ESTABLISHED

a functional ongoing connection

ASSURED

similar, but for connectionless protocols

(blank)

either no connection state is tracked (like in ICMP), or waiting for remote reply (like in UDP)

UNREPLIED

remote didn’t reply for longer than the expected time-out

TIME_WAIT

the local side of the connection was closed, delayed remote packets are being collected before recycling

FIN_WAIT

the remote side of the connection was closed, waiting for acknowledgement (→FIN, ACK→, waiting for →FIN)

SYN_RECV

a remote client started opening a connection, but didn’t acknowledge the local response (→SYN, SYN,ACK→, waiting for →ACK)

SYN_SENT

a local client started opening a connection, but remote didn’t yet accept it (SYN→, waiting for →SYN,ACK)

CLOSE

TIME_WAIT because connection was closed forcibly (→RST)

the last 5 only really apply to TCP-like protocols.

With -L or (R) on tarta the table looks very similar ( -nX 21 added as well), but loopback connections also appear:

Proto Source Address Destination Address State
tcp [::1]:49118 [::1]:9928 TIME_WAIT
tcp [::1]:50624 [::1]:80 ESTABLISHED
tcp 10.221.132.191:35862 192.168.1.250:5900 TIME_WAIT
tcp 127.0.0.1:34030 127.0.0.1:8213 TIME_WAIT
tcp 127.0.0.1:52476 127.0.1.1:3493 ESTABLISHED
tcp 10.176.163.40:51167 192.168.1.250:443 TIME_WAIT
tcp 10.62.134.22:23178 192.168.1.250:80 SYN_RECV
tcp 10.62.134.22:47444 192.168.1.250:80 SYN_RECV
udp 127.0.0.1:42738 127.0.0.1:323
udp 127.0.0.1:44850 127.0.0.1:5353
udp 127.0.0.1:46444 127.0.0.1:53 ASSURED
udp 192.168.1.144:20407 192.168.1.250:53
udp 192.168.1.146:59266 192.168.1.250:53
udp 192.168.1.204:35989 192.168.1.250:53
udp 192.168.1.250:23225 10.46.8.231:53
udp 192.168.1.250:11300 10.11.28.69:53
udp 192.168.1.250:51413 10.116.123.52:6881 ASSURED

(Public addresses were anonymised as 10/8 in both tables; both tables heavily abridged.)

OPTIONS
-n

Don’t try to resolve IP addresses to hostnames nor port numbers to service names ( hosts (5), services (5)) — just normalise them.

-o

Don’t output the table header line.

-x

Widen the table: addresses are 40 instead of 30 columns wide.

-X

Widen the table: address columns are the width of a fully-specified ipv6 (7) address + port (like [fc00:e355:e73f:b463:a28e:529d:7838:65be]:34012 ).

-X width

Widen the table: address columns use the given width .

-G (also -N )

Add a Gateway Address column between the source and destination columns — this is the outside-facing address of the node performing NAT.

-S

Only show connections this node facilitates from its local network to the outside world (SNAT — source NAT). Overrides -D .

-D

Only show connections this node facilitates to its local network from the outside world (DNAT — destination NAT). Overrides -S .

By default, the table is filtered as-if -S and -D were used additively instead of subtractively.
-L

Only show direct connections made by this node (and any of its configured addresses). This still includes hosts outside the local network. Disables -SDG . Overrides -R .

-R

Only show non-NAT connections that don’t involve this node(’s addresses) at all (This is most likely because their destinations are broadcast addresses.) Disables -SDG . Overrides -L .

-s source , …

Hide connections that don’t originate from source s (parsed as an address or looked up in DNS ( getaddrinfo (3)); comma- or whitespace-separated, or specify multiple times).

-d destination , …

Hide connections that aren’t targeting destination s (likewise).

-g gateway , …

Hide connections that aren’t going through gateway s (likewise).

-p protocol , …

Hide connections that aren’t formed by these layer 4 protocols (like UDP, TCP, or ICMP) (case-insensitive; likewise).

-r {
src , dst , gate }{
, -port }| state

Sort the output by the given column (after partitioning by L4 protocol):

src

source address (this is the default)

dst

destination address

src-port

source port

dst-port

destination port

state

connection state

gate

gateway address

gate-port

gateway port

ties are then broken in this order. Everything is sorted lexicographically (as a string), before address/port→name lookup (unless disabled by -n ).

FILES

/proc/net/nf_conntrack : Contains the current netfilter connections. This is usually only readable by root.

ENVIRONMENT VARIABLES

NETSTAT_NAT_LOCAL_ADDRS: If set, contains a comma- or whitespace-separated list of addresses to be considered local. This supersedes any real sysem state (for use with nf_conntrack backups).

EXIT STATUS

1 if nf_conntrack couldn’t be opened or a source , destination , or gateway didn’t exist.

SEE ALSO

conntrack (8) provides a read-write interface to this table.

getaddrinfo (3), getifaddrs (3), getnameinfo (3), hosts (5), services (5) netstat-nat-ng 2a-1 September 18, 2024 NETSTAT-NAT (1)

---