1 This module, when combined with connection tracking, allows access to 2 more connection tracking information than the "state" match. 3 (this module is present only if iptables was compiled under a kernel 4 supporting this feature) 5 .TP 6 .BI "--ctstate " "state" 7 Where state is a comma separated list of the connection states to 8 match. Possible states are 9 .B INVALID 10 meaning that the packet is associated with no known connection, 11 .B ESTABLISHED 12 meaning that the packet is associated with a connection which has seen 13 packets in both directions, 14 .B NEW 15 meaning that the packet has started a new connection, or otherwise 16 associated with a connection which has not seen packets in both 17 directions, and 18 .B RELATED 19 meaning that the packet is starting a new connection, but is 20 associated with an existing connection, such as an FTP data transfer, 21 or an ICMP error. 22 .B SNAT 23 A virtual state, matching if the original source address differs from 24 the reply destination. 25 .B DNAT 26 A virtual state, matching if the original destination differs from the 27 reply source. 28 .TP 29 .BI "--ctproto " "proto" 30 Protocol to match (by number or name) 31 .TP 32 .BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]" 33 Match against original source address 34 .TP 35 .BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]" 36 Match against original destination address 37 .TP 38 .BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]" 39 Match against reply source address 40 .TP 41 .BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]" 42 Match against reply destination address 43 .TP 44 .BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]" 45 Match against internal conntrack states 46 .TP 47 .BI "--ctexpire " "\fItime\fP[\fI:time\fP]" 48 Match remaining lifetime in seconds against given value 49 or range of values (inclusive) 50
