User-land states in iptables

As you’ve probably noticed in the kernel space, depending on the type of Protocol packets can have several different States. However, outside of the kernel packages may only have 4 State. Mostly used criterion-package status-state. Valid values are the NEW State ESTABLISHED, RELATED and INVALID. In the following table, rassmtrivaûtsâ each of the possible States.

Table 4-1. List of user-space conditions
Condition Description
NEW sign of NEW reports that the package is the first for this connection. This means that this is the first package on this connection, which saw the tracer. For example, if the received SYN packet is the first packet for a given connection, it receives the status NEW. However, the package may not be a SYN packet and still get the NEW status. This may give rise to certain problems in individual cases, but can be very useful, for example when it is desirable to “catch” the connection, “lost” other firewalls or when the timeout has expired, but the connection was not closed.
RELATED Condition RELATED one of the most “cunning”. The connection is RELATED if it is associated with another compound with a sign ESTABLISHED. This means that connection gets a sign RELATED when it is initiated from an already established connection, a trait ESTABLISHED. A good example of the connection, which can be seen as RELATED, is the FTP-data connection that is associated with the FTP control port, and a DCC connection running from the IRC. Please note that most of the TCP and UDP protocols, some of the highly complex and transmit information about the connection through the TCP or UDP data packets and therefore require specific support modules to work properly.
ESTABLISHED State ESTABLISHED that this is not the first packet in the connection. Installation diagram the status ESTABLISHED is sufficient is simple to understand. The only requirement to join is that to go into a State of ESTABLISHED need to host handed over the package and got a response from another host (host). After the response status of the connection or RELATEDbudet izameneno to ESTABLISHED.
INVALID INVALID Flag indicates that the package cannot be identified and therefore cannot have a certain status. This can occur for various reasons, for example when there is memory pressure or when receiving ICMP error messages that do not match any known connection. Perhaps the best option would be to apply the DROP to such packages.

These four States-criteria may be used in-state. The mechanism for determining the State allows you to build a very strong and effective protection. Before having to open all ports above 1024 to skip reverse traffic on the local network, now, if you have a mechanism for determining the State, this is no longer necessary, because you can “open” access only for the reverse (back) of traffic, stopping attempts to establish connections from the outside.