iptables -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
dal man sembra che facciano essattamente la stessa cosa
Quale bisognerebbe usare? Ho cercato su google ma non ho trovato nulla...
Moderatore: Staff


questo flag utilizza il matcher generico di netfilter, sempre basato sul modulo conntrack, ma che può essere utilizzato soprattutto per le catene di INPUT e OUTPUTrazziatore ha scritto: iptables -m state --state ESTABLISHED,RELATED -j ACCEPT
│ CONFIG_NETFILTER_XT_MATCH_STATE: │
│ │
│ Connection state matching allows you to match packets based on their │
│ relationship to a tracked connection (ie. previous packets). This │
│ is a powerful tool for packet classification. │
│ │
│ To compile it as a module, choose M here. If unsure, say N. │
│ │
│ Symbol: NETFILTER_XT_MATCH_STATE [=y] │
│ Type : tristate │
│ Prompt: "state" match support │
│ Defined at net/netfilter/Kconfig:1010 │
│ Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NETFILTER_XTABLES [=y] && NF_CONNTRACK [=y] │
│ Location: │
│ -> Networking support (NET [=y]) │
│ -> Networking options │
│ -> Network packet filtering framework (Netfilter) (NETFILTER [=y]) │
│ -> Core Netfilter Configuration │
│ -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
questo flag utilizza una delle tante sottofunzioni del modulo conntrack (ctstate) e ne eredita quindi tutte le funzionalitÃrazziatore ha scritto: iptables -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
la differenza concreta, quindi, è che col secondo puoi fare matching di traffico in modo più avanzato (su "NAT gateways with multiple internet links or tunnels"), associandolo e sfruttando tutti i flag relativi al modulo conntrack│ CONFIG_NETFILTER_XT_MATCH_CONNTRACK: │
│ │
│ This is a general conntrack match module, a superset of the state match. │
│ │
│ It allows matching on additional conntrack information, which is │
│ useful in complex configurations, such as NAT gateways with multiple │
│ internet links or tunnels. │
│ │
│ To compile it as a module, choose M here. If unsure, say N. │
│ │
│ Symbol: NETFILTER_XT_MATCH_CONNTRACK [=y] │
│ Type : tristate │
│ Prompt: "conntrack" connection tracking match support │
│ Defined at net/netfilter/Kconfig:715 │
│ Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NETFILTER_XTABLES [=y] && NF_CONNTRACK [=y] │
│ Location: │
│ -> Networking support (NET [=y]) │
│ -> Networking options │
│ -> Network packet filtering framework (Netfilter) (NETFILTER [=y]) │
│ -> Core Netfilter Configuration │
│ -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])


