How can I allowing all established incoming connections without conntrack?

Question

I want to make my iptables accepted all stablished incoming connections, but I don't have conntrack in my system so I can't run:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

It is possible to make it happened with something else?

AFAIK Without conntrack you don’t have a statefull firewall. Then you only have packet filter and you can’t manage connections with that. Load the modules or recompile your kernel to include the connection tracking support. — HBruijn, Aug 11 '22 at 08:46

Nikita Kipriyanov · Accepted Answer · 2022-08-23T18:34:21.697

0

No. This is impossible. The conntrack is the kernel service which permits things like this. The term "established connection" in the Netfilter is only defined by the conntrack module.

There was ancient "state" match which is now converged with conntrack, so even if you use iptables -m state it uses conntrack internally. For that old systems the following might help: an upgrade.

edited Aug 23 '22 at 18:34

answered Aug 23 '22 at 18:14

Nikita Kipriyanov

8,033
1
21
39

How can I allowing all established incoming connections without conntrack?

1 Answers1