Firewalls usually block all inbound connections (unless we have a port forward setup, or the traffic is return traffic). Also firewalls usually allow all outbound traffic (unless we are in a very isolated protected network). For the purpose of this article lets assume such a network (all inbound blocked – besides conntrack established or related traffic & all outbound allowed). So traffic leaving the firewall has no issues, it just leaves. But how does return traffic get back to your PCs if firewalls block inbound connections? Its because the firewall remembered we started the connection, so it let it back in (this memory of state makes it a stateful firewall). So how do we categorize and take care of return traffic?

This little command here (seen on almost all iptables configs, i bet its in your pfsense firewall / netgear firewall config):
# iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

This allows the return traffic to come back. Notice it allows ETABLISHED or RELATED traffic. ESTABLISHED traffic is our return traffic. Also if a port changes in our return traffic ideally the firewall shouldnt let that traffic in (such as FTP changing to DATA ports); however since we allow RELATED it works (so FTP servers that change the port on us, active FTP from like port 21 to the data port which ii believe is 20 or 22 , will work)
From here we see (check it out I will be refering to it):
So here is how it happens for a TCP connection:

We see that a connection for TCP becomes classified as NEW at the firewall (where iptables is installed) when it goes out with a SYN packet (outbound traffic is usually allowed out, so thats not blocked either way). Note that also the firewall makes a NAT table entry to know which PC on the network the return traffic should go to. Then the return traffic which is a syn/ack set that connection to become ESTABLISHED, thereby allowing all return traffic to come back. Any future packets are classified as ESTABLISHED and let thru.

Note that this rule only allows the return traffic in thru our router, it doesn’t tell the packet which PC in our network to go to. When the traffic first left the router and was classified as NEW, it also made a NAT table entry (therefore allowing return traffic to return to its rightful owner the PC that originated the connection). So the NAT table entry forwards it to the right local PC, but only after its allowed with the iptables conntrack entry (if iptables conntrack blocked it, then the traffic would drop, and never get forwarded – return traffic wouldn’t come thru)


Above we see how a connection goes from an ESTABLISHED state to a CLOSED state. CLOSED states are not allowed in (only ESTABLISHED and RELATED are allowed in), so thats when a connection is stopped/closed/finished.

For that link, you can see how the states work for UDP and ICMP traffic as well. We allow all NEW or outbound connections to start & go out the firewall; then we also allow ESTABLISHED and RELATED traffic to return. Then 2 way traffic allows can flow without issue as ESTABLISHED.

SIDENOTE  you might notice that the iptables module used to keep track is called -m conntrack, however there is another module called state that we setup with -m state. its practically identical, you can use either or. Id say its better to use conntrack because its newer and therefore supersedes state (therefore state is obsolete – however still used). difference between them: example of how to use state:


  • Most firewalls allow all traffic out – when traffic leaves it makes a state entry with conntrack and also a NAT table entry
  • Most firewalls block all inbound traffic
    • they only allow in what is port forwarded or port triggered
    • allow in conntrack ESTABLISHED – return traffic is allowed in
    • allow in conntrack RELATED – return traffic from a related connection is allowed in (see above)
  • conntrack keeps track of the states and only allows ESTABLISHED and RELATED traffic. (here is a list of all of the iptables conntrack states: NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED, CLOSED)
  • When the traffic is returned, its allowed in by that iptable rule (conntrack allowed ESTABLISHED or RELATED), but how does it know which server in the network to go to? It looks at the NAT  table entry which tells it what local PC the connection came from


 – End of Sandwich

Leave a Reply

Your email address will not be published. Required fields are marked *