So basically this rule:
Where state is a comma separated list of the connection states to match. Possible states are
INVALID meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which donât correspond to any known connection,
ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions,
NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and
RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
-A INPUT -p tcp -m state --state NEW --dport 2221 -j ACCEPT
Means that any brand NEW packets on TCP port 2221 (generally the very first packet in a transmission) will be jumped to the ACCEPT chain.
Not sure why you would ever need to specify a rule for the state of NEW only, unless you were setting up some sort of port knocking scheme. Then again I only know enough about iptables to manage my own firewall.