You are not logged in.
I'm still new to (Arch) Linux, and I am looking into iptables right now. I was looking at the wiki, where there is this rule:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
And I see in the default file /etc/iptables/simple_firewall.rules (owned by iptables 1.4.12.1-2) a similar rule:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Now, looking in the man page for iptables, I'm not sure I see/understand the difference between those two modules, conntrack & state:
conntrack: This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.
NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and
ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions,
RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.state: This module, when combined with connection tracking, allows access to the connection tracking state for this packet.
NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and
ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions,
RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
Descriptions of the states are exactly the same, and for the modules conntrack has a "packet/connection" where state only has "packet", but I'm not sure what the differences/implications are.
Right now, it seems to me that, in the example rule quoted above, both modules/rules would get the exact same result (the difference between the 2 modules being that conntrack allows a lot more than just using state, whereas module state obviously only uses state) -- would that be correct?
Assuming this is right, I should be safe "translating" the rules from the wiki to use the state module instead? (just because it seems module state is all I need, plus I use a custom kernet and conntrack requires a few more options to be enabled)
Also, in that case, would there be a reason why conntrack was used on the wiki? Or would it be maybe a good idea to use the state module instead? (AFAICS all rules always only uses --ctstate to filter by state, nothing else, so using module state should be enough/work the same)
Thanks for any help/information.
Offline
Technically the conntrack match supersedes - and so obsoletes - the state match. But practically the state match is not obsoleted in any way.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
np, I was just being lazy in my reply by copy & paste
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline