Results 1 to 6 of 6

Thread: iptables options: when to use '-m state --state NEW'

  1. #1
    Join Date
    Aug 2008
    Beans
    2

    Question iptables options: when to use '-m state --state NEW'

    Hi guys!
    I'm setting up iptables on my machine and I've been looking at beginner tutorials on iptables and have seen these two types of rules come up all the time. I've been looking at man pages but haven't been able to figure out when to use each. I'm trying to secure a shhd port.

    Code:
    -A INPUT -p tcp --dport 2221 -j ACCEPT
    and
    Code:
    -A INPUT -p tcp -m state --state NEW --dport 2221 -j ACCEPT
    What exactly is the main difference between the two and when should I use one over the other?

    Thank you!

    dave

  2. #2
    Join Date
    Jan 2006
    Beans
    2,031

    Re: iptables options: when to use '-m state --state NEW'

    Code:
    --state state
    Where  state is a comma separated list of the connection states to match. Possible states are 
    
    INVALID meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which donât correspond to any known connection, 
    
    ESTABLISHED meaning  that the packet is associated with a connection which has seen packets in both directions, 
    
    NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and  
    
    RELATED  meaning  that  the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
    So basically this rule:
    -A INPUT -p tcp -m state --state NEW --dport 2221 -j ACCEPT
    Means that any brand NEW packets on TCP port 2221 (generally the very first packet in a transmission) will be jumped to the ACCEPT chain.

    Not sure why you would ever need to specify a rule for the state of NEW only, unless you were setting up some sort of port knocking scheme. Then again I only know enough about iptables to manage my own firewall.
    Last edited by dfreer; August 17th, 2008 at 09:46 AM.

  3. #3
    Join Date
    Aug 2008
    Beans
    2

    Re: iptables options: when to use '-m state --state NEW'

    Thanks

    I'm still not sure what the deal with NEW is but I guess I can use either. I haven't seen any explanations of why it matters...

  4. #4
    Join Date
    Jan 2006
    Beans
    2,031

    Re: iptables options: when to use '-m state --state NEW'

    Quote Originally Posted by velocity2 View Post
    Thanks

    I'm still not sure what the deal with NEW is but I guess I can use either. I haven't seen any explanations of why it matters...
    My advice? Don't use it unless you are for sure you need it. I use --state when setting up my firewall. Basically, I allow all incoming traffic of state ESTABLISHED and RELATED, then drop all other incoming traffic. This allows my programs like firefox to access the DNS server and have the DNS server talk back.

  5. #5
    Join Date
    Dec 2012
    Beans
    1

    Re: iptables options: when to use '-m state --state NEW'

    I belive he asks cuz he used the system config firewall tui script ... .

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: iptables options: when to use '-m state --state NEW'

    This thread is from 2008. I doubt the OP is coming back....
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •