It's a mix of both connection related connections and ACK SYN TCP flag settings.
Let me explain:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This rule checks the incoming tcp packets state is ESTABLISHED, So the incoming packet must not be the first packet to make the connection to your firewall "this means it has a ACK flag set and not a SYN ACK flag"
If it was the first host to make the connection then a SYN ACK flag would be set in the packet, meaning some server started the connection to yours first. "not what you want if your a firewall, ok if it's to your webserver"
So the TCP handshake that's come back once you started the connection, doesn't have the SYN flag set so the -state ESTABLISHED option tells it to accept the packet and forward it to the input chain, which forwards it to requesting IP from the Network address translation table.
You can still switch of the SYN flag and spoof firewalls to allowing them to accept the packet, but the ip_conntrack backups the -state ESTABLISHED by checking if this is true.
Hope that helps.