root# lsmod | grep conntrack
Let us understand connection tracking entries in ip_conntrack file by an example .
Suppose you getting below entries in the /proc/net/ip_conntrack
tcp 6 47 SYN_SENT src=192.168.0.1 dst=192.168.0.2 sport=50291 dport=25 src=192.168.0.2 dst=192.168.0.1 sport=25 dport=50291 ++++++++++++++++++++++++++++++++++++++++++++++++++
As per my understanding ,
tcp 6 , is saying that protocol is tcp (6 is code for tcp here)
47 , is saying that this entry will live in connection tracking for more 47 second.
SYN_SENT, is saying that SYN packet has been sent and replied (if not replied then you can see [UNREPLIED] ).
src=192.168.0.1, is saying that packet generated from 192.168.0.1
dst=192.168.0.2, is saying packet designated for 192.168.0.2
sport=50291 , is saying that packet originated from port 50291
dport=25 , saying that packet is designated for smtp (25) port
Others value are easy to understand , as its just the reversed (what we aspect in return). There could be values for packet size as well but they are self describing.
Now let us understand the fact that connection changes its state . In the above example there is SYN_SENT state , here connection initiated from 192.168.0.1 to smtp port(25) of 192.168.0.2. Now if ACK reply received from 192.168.0.2 then connection will enter into Established state. You can see same in /proc/net/ip_conntrack. All connection tracking take place in PREROUTING chain except locally generated packet which are handled in OUTPUT chain.
NEW is the first packet of a particular connection seen by conntrack . Suppose you want to allow new connection request on port 25
iptables -I INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT ++++++++++++++++++++++++++++++++++++++++++++++++++
iptables -I INPUT -m state –state INVALID -j DROP
Ref. Daigram For TCP states (http://userpages.umbc.edu/~jeehye/cmsc491b/lectures/tcpstate/sld001.htm)