You are not logged in.

#1 2011-12-14 15:42:29

jjacky
Member
Registered: 2011-11-09
Posts: 321
Website

iptables: differences using conntrack or state module

I'm still new to (Arch) Linux, and I am looking into iptables right now. I was looking at the wiki, where there is this rule:

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

And I see in the default file /etc/iptables/simple_firewall.rules (owned by iptables 1.4.12.1-2) a similar rule:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Now, looking in the man page for iptables, I'm not sure I see/understand the difference between those two modules, conntrack & state:

conntrack: This  module,  when  combined  with  connection tracking, allows access to the connection tracking state for this packet/connection.
NEW meaning that the packet has started a new connection, or otherwise associated with  a  connection which has not seen packets in both directions, and
ESTABLISHED meaning  that  the  packet  is  associated with a connection which has seen packets in both directions,
RELATED meaning that the packet is starting a new connection, but is associated  with  an  existing connection, such as an FTP data transfer, or an ICMP error.

state: This  module,  when  combined  with  connection tracking, allows access to the connection tracking state for this packet.
NEW meaning that the packet has started a new connection, or  otherwise associated  with  a  connection  which has not seen packets in both directions, and
ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions,
RELATED meaning that the packet is starting a new connection, but is associated  with  an  existing connection,  such  as  an  FTP data transfer, or an ICMP error.

Descriptions of the states are exactly the same, and for the modules conntrack has a "packet/connection" where state only has "packet", but I'm not sure what the differences/implications are.

Right now, it seems to me that, in the example rule quoted above, both modules/rules would get the exact same result (the difference between the  2 modules being that conntrack allows a lot more than just using state, whereas module state obviously only uses state) -- would that be correct?

Assuming this is right, I should be safe "translating" the rules from the wiki to use the state module instead? (just because it seems module state is all I need, plus I use a custom kernet and conntrack requires a few more options to be enabled)

Also, in that case, would there be a reason why conntrack was used on the wiki? Or would it be maybe a good idea to use the state module instead? (AFAICS all rules always only uses --ctstate to filter by state, nothing else, so using module state should be enough/work the same)

Thanks for any help/information.

Offline

#2 2011-12-14 23:17:02

fukawi2
Forum Moderator
From: .vic.au
Registered: 2007-09-28
Posts: 5,268
Website

Re: iptables: differences using conntrack or state module

http://serverfault.com/questions/190978/firewall-questions-about-state-and-policy wrote:

Technically the conntrack match supersedes - and so obsoletes - the state match. But practically the state match is not obsoleted in any way.

Offline

#3 2011-12-15 00:15:17

jjacky
Member
Registered: 2011-11-09
Posts: 321
Website

Re: iptables: differences using conntrack or state module

Oh right, and I feel embarassed I managed to miss that one, sorry about that...

Anyways, thanks a lot, great link.

Offline

#4 2011-12-15 00:22:44

fukawi2
Forum Moderator
From: .vic.au
Registered: 2007-09-28
Posts: 5,268
Website

Re: iptables: differences using conntrack or state module

np, I was just being lazy in my reply by copy & paste tongue

Offline

Board footer

Powered by FluxBB