iptables (established, related rule)

Question

I would like to know what the following iptables rule does exactly ? Why is it needed ?

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Answer 1

The ESTABLISTED state will allow all packets that are part of an existing connection to pass. The RELATED state allows new secondary connections to be made that are related to an existing connection. This would for example allow an FTP data transfer where the control connection is on port 21 and the data port is negotiated by the protocol.

Answer 2

It's a little bit more complex than some of the comments above suggest.

state ESTABLISHED does mean "once the connection is open, let the rest of the packets through", though it should be noted that "connection" here is defined by synchronicity: packets travelling between one known address/port pair and another known address/port pair are defined as "ESTABLISHED". The famous three-way TCP handshake doesn't enter into it.

state RELATED seems to be cargo-culted in by a lot of people without really understanding what it does. It usually includes ICMP traffic related to an existing connection (attempt), like ICMP-host-administratively-unreachable packets coming back from a firewall that's blocking your connection request to a forbidden box.

But there are also a group of kernel modules, such as nf_conntrack_ftp, that dynamically expand the definition of RELATED traffic as they are loaded (that particular one performs layer-4 examination of ftp control-channel traffic, looks for DATA statements that warn of the imminent opening of a DATA channel, and matches those packets when they arrive).

Unless you know that you need it, I recommend not allowing RELATED traffic generically, but instead restricting RELATED statements to traffic you know you want, with eg -p icmp.