Iptables, what's the difference between -m state and -m conntrack?
Solution 1:
Both use same kernel internals underneath (connection tracking subsystem).
Header of xt_conntrack.c:
xt_conntrack - Netfilter module to match connection tracking
information. (Superset of Rusty's minimalistic state match.)
So I would say -- state module is simpler (and maybe less error prone). It's also longer in kernel. Conntrack on the other side has more options and features[1].
My call is to use conntrack if you need it's features, otherwise stick with state module.
Similar question on netfilter maillist.
[1] Quite useful like "-m conntrack --ctstate DNAT -j MASQUERADE" routing/DNAT fixup ;-)
Solution 2:
There is no difference in the outcome of those two rules. Both match extensions use the same data to match the connection tracking state. state is the "old" match extension and conntrack is newer and has a lot more options than just matching the connection tracking state.
Solution 3:
Iptables Doc
As the documentation say:
The conntrack match is an extended version of the state match, which makes it possible to match packets in a much more granular way. It let's you look at information directly available in the connection tracking system, without any "frontend" systems, such as in the state match. For more information about the connection tracking system, take a look at the The state machine chapter.