>Iptables state machine

By | July 16, 2012


Most of us know that Iptables is a simple IP filtering firewall . What we normally do with iptables is blocking or allowing certain IP or port. Iptables can also do connection tracking and perform action accordingly. Iptables state machine is designed to perform connection tracking and basically we can call it connection tracking engine.

Iptables state machine is depend on conntrack kernel module . Let me remind you that if this modules is not compiled in your running kernel then you can’t this state machine with iptables. To verify that conntrack module is installed and loaded we can use following command

root# lsmod | grep conntrack

if you get ip_conntrack listed then conclude that conntrack module is installed otherwise not.
Also if this module is loaded then you can view /proc/net/ip_conntrack file , which list all the incoming and outgoing traffic.

Let us understand connection tracking entries in ip_conntrack file by an example .
Suppose you getting below entries in the /proc/net/ip_conntrack

tcp    6 47 SYN_SENT src= dst= sport=50291 dport=25  src= dst=  sport=25 dport=50291 ++++++++++++++++++++++++++++++++++++++++++++++++++

As per my understanding ,

tcp  6 , is saying that protocol is tcp (6 is code for tcp here)

47 , is saying that this entry will live in connection tracking for more 47 second.

SYN_SENT, is saying that SYN packet has been sent and replied (if not replied then you can see [UNREPLIED] ).
src=, is saying that packet generated from
dst=, is saying packet designated for
sport=50291 , is saying that packet originated from port 50291
dport=25 , saying that packet is designated for smtp (25) port

Others value are easy to understand , as its just the reversed (what we aspect in return). There could be values for packet size as well but they are self describing.

Now let us understand the fact that connection changes its state . In the above example there is SYN_SENT state , here connection initiated from to smtp port(25) of Now if ACK reply received from then connection will enter into Established state. You can see same in /proc/net/ip_conntrack. All connection tracking take place in PREROUTING chain except locally generated packet which are handled in OUTPUT chain.
Within Iptables, packets can be related to tracked connections in four different states NEW, ESTABLISHED,RELATED and INVALID.

NEW is the first packet of a particular connection seen by conntrack . Suppose you want to allow new connection request on port 25
iptables -I INPUT -p tcp  –dport 22  -m state  –state NEW -j ACCEPT ++++++++++++++++++++++++++++++++++++++++++++++++++

ESTABLISHED, is the state where packet in/out taking place on the connection on a particular port. After NEW state connection either enter into Established state or get dropped.

RELATED, The connection is in RELATED when it is already part of any ESTABLISHED state connection . You can take the example of ftp protocol where normally data connection (port 20 ) is part of already established control connection (port 21).

INVALID, Packet doesn’t in any state . Normally such packets are not identified and considered bad packets . This is advised to DROP such packets.

iptables -I INPUT -m state –state INVALID -j DROP

Ref. Daigram For TCP states (http://userpages.umbc.edu/~jeehye/cmsc491b/lectures/tcpstate/sld001.htm)

Share itShare on FacebookEmail this to someoneTweet about this on TwitterShare on Google+Share on LinkedInPrint this page

Leave a Reply

Your email address will not be published. Required fields are marked *

Current month ye@r day *