I'm after some clarification of the state/connection tracking in iptables.
What is the difference between these two rules?
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Both appear to load the nf_conntrack module when either -m state or -m conntrack is specified. Both options turn on state or connection tracking.
Note: I am not asking what conntrack does, I'm asking just whether they are equivalent. I already know that the conntrack module has more features.
If the above are equivalent, do you need to use the conntrack version when using conntrackd?
Is connection tracking turned on when a packet is first matched containing -m state --state BLA , or is connection tracking always on for all traffic flows?
e.g. Under FreeBSD PF you specify keepstate on a rule to track state. Is the same not true of netfilter? i.e. is it on for all flows as soon as the module is loaded?
Can/Should connection tracking be used for fast matching like below? If not used like below, would it not mean that the firewall would step through the rule set again looking for a match for the packet rather that just hitting the first ESTABLISHED rule? [many examples do not seem to make use of that if true]
e.g. suppose this is some sort of router/firewall (no nat).
# Default DROP policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Drop invalid
iptables -A FORWARD -m state --state INVALID -j DROP
# Accept established,related connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow ssh through, track connection
iptables -A FORWARD -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
- When the conntrack table fills, will your firewall start denying traffic, or will rules that have no state on them still work. In which case I should not DROP packets with INVALID state, correct?
See here: Shoot yourself in the foot with iptables and kmod auto-loading
The first question is what is conntrack. This is the website for conntrack-tools. With that in mind what does state do?
Firewall questions about state and policy?
So, to answer the question, conntrack is for use with the conntrack toolkit and supersedes state in this regard. It is better than state if you are planning on using the conntrack tool kit.
Connection tracking is on for traffic flows, it constantly tries to match flows to rules.
The answer that follows for question 2 is, yes, use conntrack
To answer question 3, which case? The answer for state is in the definition above.
The answer to 4 is, conntrack is for use with the conntrack toolkit, and state, for not using the toolkit. Yes, you can use conntrack at no penalty over using state with your example.