Iptables, what's the difference between -m state and -m conntrack?

iptables

Solution 1:

Both use same kernel internals underneath (connection tracking subsystem).

Header of xt_conntrack.c:

xt_conntrack - Netfilter module to match connection tracking
information. (Superset of Rusty's minimalistic state match.)

So I would say -- state module is simpler (and maybe less error prone). It's also longer in kernel. Conntrack on the other side has more options and features[1].

My call is to use conntrack if you need it's features, otherwise stick with state module.

Similar question on netfilter maillist.

[1] Quite useful like "-m conntrack --ctstate DNAT -j MASQUERADE" routing/DNAT fixup ;-)

Solution 2:

There is no difference in the outcome of those two rules. Both match extensions use the same data to match the connection tracking state. state is the "old" match extension and conntrack is newer and has a lot more options than just matching the connection tracking state.

Solution 3:

Iptables Doc

As the documentation say:

The conntrack match is an extended version of the state match, which makes it possible to match packets in a much more granular way. It let's you look at information directly available in the connection tracking system, without any "frontend" systems, such as in the state match. For more information about the connection tracking system, take a look at the The state machine chapter.

Related

Linux knowledge a Junior cannot miss [duplicate]
Remove/hide client sender ip from postfix?
VMware ESXi shutdown triggered by APC UPS connected via USB
How do I upgrade to the latest PHP version in CentOS with yum?
How to resize root LVM partition in Fedora without LiveCD or Rebooting
How to find out which httpd.conf apache is using at runtime
Do I need to run ntpd in my EC2 instance?
Anonymizing OpenVPN Allow SSH Access to Internal Server
Troubleshooting a "slow" network
How to determine the best byte size for the dd command
OpenVPN client-to-client
ZFS endless resilvering