UDP connections in IPtables

In essence, UDP connections do not have a status. There are several reasons, the main one is that the Protocol does not provide for establishing and closing the connection, but the biggest drawback is the lack of information on the priority of packets. Having taken two UDP datagrams, it is impossible to say exactly in which order they were sent. However, even in this situation, it is still possible to determine the status of the connection. Below is a picture of how a connection is from the point of view of the tracer.

The figure shows that the State of UDP connections is almost the same as the State of the TCP connection, from the point of view of the user space. From the inside it looks a bit different, although in many ways similar. For starters have a look at the entry that appears after the first of the UDP packet.

UDP 17 20 src = dst = sport dport 137 = 1025 = \
[UNREPLIED] src = dst = sport = 1025 \
dport = 137 use = 1

The first thing we see is the name of the Protocol (udp) and its number (see/etc/protocols is long). The third value is the remaining life time recording in seconds. Following are the characteristics of the package, passed through the firewall is the address and port of the sender and the recipient. Here you can see that this is the first batch in the session (flag [UNREPLIED]). And complete an address, and source and destination ports expected package. The default timeout is 30 seconds.

17170 UDP src = dst = sport = 137/
dport = 1025 src = dst = sport = 1025 \
dport = 137 use = 1

Once the server has “seen” the answer to the first packet, the connection is ESTABLISHED (installed), the only difference from the previous entry is the absence of the flag [UNRREPLIED] and, in addition, write timeout was set to 180 seconds. After that, can only add flag [SELF-ASSURED] (secure connection), which has been described above. Flag [SELF-ASSURED] is established only after passing a certain number of packets over the connection.

UDP src = dst 17175 = sport = 1025 \
dport = 53 src = dst sport = 53 = \
dport = 1025 [SELF-ASSURED] use = 1

Now the connection became “sure”. Table entry looks almost the same as in the previous example, except the flag [SELF-ASSURED]. If within 180 seconds after the connection fails even one package, the entry is removed from the table. This is quite a small amount of time, but it is sufficient for most applications. Life time is counted from the moment of the last package and when new, the time is reset to its initial value, this is true for all other types of internal States.