Understanding connection tracking in iptables

I'm after some clarification of the state/connection tracking in iptables.

  • What is the difference between these two rules?

    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

    Both appear to load the nf_conntrack module when either -m state or -m conntrack is specified. Both options turn on state or connection tracking.

Note: I am not asking what conntrack does, I'm asking just whether they are equivalent. I already know that the conntrack module has more features.

  • If the above are equivalent, do you need to use the conntrack version when using conntrackd?

  • Is connection tracking turned on when a packet is first matched containing -m state --state BLA , or is connection tracking always on for all traffic flows?

    e.g. Under FreeBSD PF you specify keepstate on a rule to track state. Is the same not true of netfilter? i.e. is it on for all flows as soon as the module is loaded?

  • Can/Should connection tracking be used for fast matching like below? If not used like below, would it not mean that the firewall would step through the rule set again looking for a match for the packet rather that just hitting the first ESTABLISHED rule? [many examples do not seem to make use of that if true]

e.g. suppose this is some sort of router/firewall (no nat).

# Default DROP policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Drop invalid
iptables -A FORWARD -m state --state INVALID -j DROP

# Accept established,related connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ssh through, track connection 
iptables -A FORWARD -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
  • When the conntrack table fills, will your firewall start denying traffic, or will rules that have no state on them still work. In which case I should not DROP packets with INVALID state, correct?

See here: Shoot yourself in the foot with iptables and kmod auto-loading


The first question is what is conntrack. This is the website for conntrack-tools. With that in mind what does state do?

The State Match

The most useful match criterion is supplied by the state' extension, which interprets the connection-tracking analysis of the ip_conntrack' module. This is highly recommended.

Specifying -m state' allows an additional--state' option, which is a comma-separated list of states to match (the `!' flag indicates not to match those states). These states are:

NEW A packet which creates a new connection.

ESTABLISHED A packet which belongs to an existing connection (i.e., a reply packet, or outgoing packet on a connection which has seen replies).

RELATED A packet which is related to, but not part of, an existing connection, such as an ICMP error, or (with the FTP module inserted), a packet establishing an ftp data connection.

INVALID A packet which could not be identified for some reason: this includes running out of memory and ICMP errors which don't correspond to any known connection. Generally these packets should be dropped.

An example of this powerful match extension would be:

# iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP

Firewall questions about state and policy?

So, to answer the question, conntrack is for use with the conntrack toolkit and supersedes state in this regard. It is better than state if you are planning on using the conntrack tool kit.

Connection tracking is on for traffic flows, it constantly tries to match flows to rules.

The answer that follows for question 2 is, yes, use conntrack

To answer question 3, which case? The answer for state is in the definition above.

The answer to 4 is, conntrack is for use with the conntrack toolkit, and state, for not using the toolkit. Yes, you can use conntrack at no penalty over using state with your example.