How do I use Iptables connection tracking feature?

Connection tracking is an essential security feature of Iptables. But, what is connection tracking?

It is the ability to maintain connection information in memory. This is new feature added in 2.4.xx Linux kernel. Eariler only commercial firewall has this feature but now it is part of Linux. It can remember connection states such as established & new connections along with protocol types, source and destination ip address. You can allow or deny access based upon state. Following are the states:

  • NEW รขโ‚ฌโ€œ A Client requesting new connection via firewall host
  • ESTABLISHED รขโ‚ฌโ€œ A connection that is part of already established connection
  • RELATED – A connection that is requesting a new request but is part of an existing connection.
  • INVALID – If none of the above three states can be referred or used then it is an INVAID state.

Let us try to understand four state with ftp example (our setup):

client                     FTP Server          

A) Connet to ftp server:
You have to use ftp command as follows:
$ ftp
It opens NEW (STATE) connection at ftp server.

client          NEW        FTP Server     --->    

B) Download files
> get bigfile.tar.gz
When client download files from ftp server we call it ESTABLISHED connection.

client          ESTABLISHED   FTP Server           

Please note that when you see username/password prompt your connection get established and access to ftp server is granted upon successful authentication.

C)Passive ftp connections
In A passive ftp connection, client connection port is 20, but the trasfer port can be any unused port 1024 or higher. To enable passive mode ftp client can send pass command:
ftp> pass
Passive mode on.

You need to use RELATED state at firewall level if you wish to allow passive ftp access. Here is an example of SSH server, allow only new and established connection for SSH server IP

iptables -A INPUT -p tcp -s 0/0 –sport 513:65535 -d –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s –sport 22 -d 0/0 –dport 513:65535 -m state –state ESTABLISHED -j ACCEPT

It also works with stateless protocol such as UDP. The following example allows connection tracking to forward only the packets that are associated with an established connection:

iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ALLOW

In the past we have covered lots of examples related to iptables connection tracking.

Update You may need to put following two lines in your script to use connection tracking feature:

modprobe ip_conntrack
modprobe ip_conntrack_ftp

Please see complete example script here.

๐Ÿง Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

๐Ÿง 6 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
6 comments… add one
  • Anonymous Nov 7, 2005 @ 16:09

    Yup w/o these two modules ftp passive would be a problem

    modprobe ip_conntrack
    modprobe ip_conntrack_ftp

    Btw Nice pointer for begginers, impo

  • Linux Guy Sep 16, 2006 @ 14:14

    I believe the “prefered” way to save your firewall scripts in Redhat-ish environments is with iptables-save. (For example, iptables-save >/etc/sysconfig/iptables)

    The problem is, iptables-save doesn’t seem to be capturing my:

    modprobe ip_conntrack
    modprobe ip_conntrack_ftp

    statements. Am I missing something?

  • Marshall Dec 6, 2006 @ 22:47

    Linux Guy, check out IPTABLES_MODULES in /etc/sysconfig/iptables-config.

  • AKM Jul 8, 2009 @ 18:35

    that’s worked for me :

    modprobe ip_conntrack
    modprobe ip_conntrack_ftp

    thx a lot !!! ๐Ÿ˜‰

  • Santhosh Sep 30, 2009 @ 6:03

    Please send the ip_conntrack files to this mail address

  • paul Sep 20, 2012 @ 14:16

    how do you access the ip table?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum