Understanding connection tracking in iptables

view full story

http://serverfault.com – I'm after some clarification of the state/connection tracking in iptables. What is the difference between these rules? iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT If the above are equivalent, do you need to use the conntrack version when using conntrackd? Is connection tracking turned on when a packet is first matched containing -m state --state BLA , or is connection tracking always on? Can/Should connection tracking be used for fast matching like below? If not used like below, would it not me (HowTos)

Submitted by dayu on 11/27/2012 – Made popular on 11/27/2012

Login or register to post comments
Email this page

Stories similar to Understanding connection tracking in iptables

Iptables: matching outgoing traffic with conntrack and owner. Works with strange drops 30 weeks 4 days ago

In my iptables script I have been experimenting with writing as finely grained rules as possible. I limit which users are allowed to use which services, partly for security and partly as a learning exercise.

Using iptables v1.4.16.2 on Debian 6.0.6 running the 3.6.2 kernel.

However I've hit an issue I don't quite understand yet.. .

outgoing ports for all users

This works perfectly fine.

Iptables, what's the difference between -m state and -m conntrack? 1 year 14 weeks ago

What's the practical difference between:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

and

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Which one is best to use?

Thank you.

knowing status of connection tracking (conntrack) 1 year 23 weeks ago

I want to write a script which runs a command or a bunch of commands to check if connection tracking is enabled. Or if any connection is being tracked. Basically knowing if any iptables rule is added that would track connections or is tracking connections.

Any suggestions?

IPTABLES doesn't store the ip address entered inside the rule 6 weeks 3 days ago

I'm working on a debian server and when i add the following rules to forward a port to a lan address:

iptables -t nat -I PREROUTING -p tcp -d 192.168.1.1 --dport 3385 -j DNAT --to-destination 192.168.1.9:3389

iptables -I FORWARD -m state -d 192.168.1.2/10 --state NEW,RELATED,ESTABLISHED -j ACCEPT

i get the following with iptables -L:

Chain FORWARD (policy ACCEPT) target prot opt sourc

samba and iptables 1 year 51 weeks ago

Hi, my problem is I can't connect to my windows share when iptables is enabled, works fine when iptables is disabled.

Simple State Firewall 43 weeks 1 day ago

I just set up my firewall following the wiki, just the basics down to the knocking section.After I restarted my connection Firefox works which is great, although so does Transmission.. This leads me to think maybe my firewall is not working correctly, as the only ports I opened were 80 and 53.

IPTables preventing remote connection to MySQL 11 weeks 1 day ago

My table rules:

sudo iptables -L --line-numbers

Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- anywhere anywhere tcp dpt:http 2 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 3 ACCEPT icmp -- anywhere anywhere 4 ACCEPT all -- anywhere

Iptables blocks outgoing HTTP connection 29 weeks 1 day ago

I've setup IPTables with the following script...

Using nmap to scan open ports. iptables default policy affects other rules? 36 weeks 5 days ago

I'm trying to find out why changing my default iptables policy is affecting what nmap sees when it scans my host.

Consider the following iptables setup:

iptables -F iptables -A INPUT -p tcp -s 10.1.0.0/20 --dport 22 -j ACCEPT

iptables -P INPUT ACCEPT iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j AC

Understanding connection tracking in iptables

Search

Best published stories

Beautiful linux wallpapers

Tags