We keep track of relationship of packets: `connections'
This applies even to `connectionless' protocols, such as ping and UDP DNS.
It will always be heuristic based: we cannot know what a reasonable delay is.
When a packet comes in the LOCAL_OUT or PRE_ROUTING hooks, it indicates what connection it is part of, and how.
- Hooks in before packet filtering in LOCAL_OUT
Packets get defragmented
It classifies the packet as one of the following:
- NEW
- ESTABLISHED (either direction)
- RELATED (either direction)
- INVALID
Under stress, the code will timeout unreplied connections early.
The ip_conntrack module has ip_conntrack_ftp extension (passive and active ftp)
The `state' packet matching allows you to match based on the conntrack results.
This allows more reasonable UDP filtering, TCP fin-scanning filtering, FTP filtering
eg. the above external->internal 6 rules becomes:
iptables -A external-internal -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A external-internal -j DROP
Effectively, you need only filter on initial (--state NEW) connections.
Packet filtering is markedly simplified by connection tracking.
Hopefully people won't screw up ICMP filtering now.