iptables - Is it necessary to use the NEW state match?

savona · 05-03-2011, 03:46 PM

I am looking to learn more about netfilter/iptables. I have been reading a lot of different documents online and I notice that some people open a port like this:

(using http as an example)

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

While other use the state match like so:

iptables -I INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT

My question is, why do I need to use the state new here? I understand that the NEW mean a new connection, and I understand the use of ESTABLISHED, RELATED. But is the NEW needed here? What is the working difference between the two statements above?

acid_kewpie · 05-03-2011, 03:59 PM

Well it's fundamentally that the connection might not be new... you could receive all sorts of crap trying to exploit your rule base and systems behind it. You have new connections, you have ones you already know about and trust, but you have the third category of "other shit" and if you don't use the NEW state you'll let in all that other rubbish.

unSpawn · 05-03-2011, 06:13 PM

...and in addition to that here's another explanation: http://www.faqs.org/docs/iptables/newnotsyn.html

savona · 05-04-2011, 09:22 AM

Thanks for the info. I will continue to read.