iptables includes a module that allows
administrators to inspect and restrict connections to services
available on an internal network using a method called connection tracking. Connection tracking stores
connections in a table, which allows administrators to allow or
deny access based on the following connection states:
-
NEW — A packet requesting a new
connection, such as an HTTP request.
-
ESTABLISHED — A packet that is
part of an existing connection.
-
RELATED — A packet that is
requesting a new connection but is part of an existing connection,
such as passive FTP connections where the connection port is 20,
but the transfer port can be any unused port 1024 or higher.
-
INVALID — A packet that is not
part of any connections in the connection tracking table.
You can use the stateful functionality of iptables connection tracking with any network
protocol, even if the protocol itself is stateless (such as UDP).
The following example shows a rule that uses connection tracking to
forward only the packets that are associated with an established
connection:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ALLOW
|
