What's the difference between iptables "state" and "ctstate"?
I saw this iptables snippet in a different Super User answer:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
The point is to always allow packets that are sent as a part of an established connection. The part I'm wondering about is the top two lines.
For the INPUT
chain, what is the point of writing both -m conntrack --ctstate RELATED,ESTABLISHED
and -m state --state RELATED,ESTABLISHED
. It seems to be both should do the same thing?
An explanation of the difference between these two would be great.
Main answer :
Conntrack
supersedes state
,
but in modern kernels there is now no difference between the two.
State
is currently aliased and translated to conntrack
in iptables if the kernel has it, so
the syntax -m state --state
is actually translated into
-m conntrack --ctstate
and handled by the same module.
On some old kernels, however, contrack has to be specifically enabled.
Possible explanation :
It seems to me as if the rules you quoted included duplicates, catering for both older and newer kernels.
Or maybe this is just a case of Cargo cult programming.
There is this question on ServerFault from the year 2012:
What's the practical difference between:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
and
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Which one is best to use?
The accepted answer is:
Both use same kernel internals underneath (connection tracking subsystem).
Header of
xt_conntrack.c
:xt_conntrack - Netfilter module to match connection tracking information. (Superset of Rusty's minimalistic state match.)
So I would say -- state module is simpler (and maybe less error prone). It's also longer in kernel. Conntrack on the other side has more options and features[1].
My call is to use
conntrack
if you need it's features, otherwise stick with state module.Similar question on netfilter maillist.
[1] Quite useful like
-m conntrack --ctstate DNAT -j MASQUERADE" routing/DNAT fixup
;-)
One of the other answers leads to this document about iptables
. It says:
The
conntrack
match is an extended version of thestate
match, which makes it possible to match packets in a much more granular way. It let's you look at information directly available in the connection tracking system, without any "frontend" systems, such as in thestate
match.
So I think this is true (from yet another answer there):
There is no difference in the outcome of those two rules.
Note there is also an interesting comment under the question:
state
is deprecated in favor ofconntrack
, and may or may not be compiled in depending on how your kernel was built.