Originally Posted by slimm609
when you put in --state new it means that the connection has to be in the syn state when they first try to connect.
For a packet to be in state NEW it doesn't need to be a SYN packet. It just needs to lack a corresponding entry in the state table. If you want to match against a SYN packet specifically, you're gonna need to use the --syn
match. In fact, for rules applying to TCP packets it's a good idea to use both, like:
iptables -A INPUT -p TCP --dport 22 --syn -m state --state NEW -j ACCEPT
This way, a higher degree of sanity checking is obtained. Of course, this shouldn't be done if the service in question really does have a need for TCP packets in state NEW which aren't SYN.