Could somebody explain me, why it works:
administrador@ubuntu:~$ sudo iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:www state NEW,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
and this doesn't:
administrador@ubuntu:~$ sudo iptables -L INPUT target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:www REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
I'd rather say that second rule is more restricted. firewall has to check state of every packet, so why when I want to check web server availability, second option doesn't work? I mean machine can't connect with server.
Best Answer
The former rule employs connection tracking, the latter does not. The connection tracking entries are needed for the reply packets to get through. When the connection tracking system allows a packet in that establishes a connection or logical association, an automatic, temporary reflexive rule is created to allow the reply packets out.