The former rule employs connection tracking, the latter does not. The connection tracking entries are needed for the reply packets to get through. When the connection tracking system allows a packet in that establishes a connection or logical association, an automatic, temporary reflexive rule is created to allow the reply packets out.
The first question is what is conntrack. This is the website for conntrack-tools. With that in mind what does state do?
The State Match
The most useful match criterion is supplied by the state' extension,
which interprets the connection-tracking analysis of the
ip_conntrack' module. This is highly recommended.
Specifying -m state' allows an additional--state' option, which is
a comma-separated list of states to match (the `!' flag indicates not
to match those states). These states are:
NEW A packet which creates a new connection.
ESTABLISHED A packet which belongs to an existing connection (i.e., a
reply packet, or outgoing packet on a connection which has seen
replies).
RELATED A packet which is related to, but not part of, an existing
connection, such as an ICMP error, or (with the FTP module inserted),
a packet establishing an ftp data connection.
INVALID A packet which could not be identified for some reason: this
includes running out of memory and ICMP errors which don't correspond
to any known connection. Generally these packets should be dropped.
An example of this powerful match extension would be:
# iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP
Firewall questions about state and policy?
So, to answer the question, conntrack is for use with the conntrack toolkit and supersedes state in this regard. It is better than state if you are planning on using the conntrack tool kit.
Connection tracking is on for traffic flows, it constantly tries to match flows to rules.
The answer that follows for question 2 is, yes, use conntrack
To answer question 3, which case? The answer for state is in the definition above.
The answer to 4 is, conntrack is for use with the conntrack toolkit, and state, for not using the toolkit. Yes, you can use conntrack at no penalty over using state with your example.
Best Answer
Both use same kernel internals underneath (connection tracking subsystem).
Header of xt_conntrack.c:
So I would say -- state module is simpler (and maybe less error prone). It's also longer in kernel. Conntrack on the other side has more options and features[1].
My call is to use conntrack if you need it's features, otherwise stick with state module.
Similar question on netfilter maillist.
[1] Quite useful like "-m conntrack --ctstate DNAT -j MASQUERADE" routing/DNAT fixup ;-)