So, iptables basically remembers the
port number that was used for the
outgoing packet (what else could it
remember for a UDP packet?),
I am pretty sure for UDP the source and destination ports and addresses are stored.
If you want to inspect the state tables install conntrack and/or netstat-nat.
(What would happen, if I accidentally
tried to start a service on that port
within the timeframe - would that
attempt be denied/blocked?)
Since you are using OUTPUT and INPUT your are talking about local services. The port is already used I don't believe your system will allow you to start up another service since something is already listening on that port. I guess you could stop the first service and start another if you really wanted to though, in that case the response would probably get to your service. What the service does with the packet depends on what the contents of the packet is, and what service it is.
The first question is what is conntrack. This is the website for conntrack-tools. With that in mind what does state do?
The State Match
The most useful match criterion is supplied by the state' extension,
which interprets the connection-tracking analysis of the
ip_conntrack' module. This is highly recommended.
Specifying -m state' allows an additional
--state' option, which is
a comma-separated list of states to match (the `!' flag indicates not
to match those states). These states are:
NEW A packet which creates a new connection.
ESTABLISHED A packet which belongs to an existing connection (i.e., a
reply packet, or outgoing packet on a connection which has seen
replies).
RELATED A packet which is related to, but not part of, an existing
connection, such as an ICMP error, or (with the FTP module inserted),
a packet establishing an ftp data connection.
INVALID A packet which could not be identified for some reason: this
includes running out of memory and ICMP errors which don't correspond
to any known connection. Generally these packets should be dropped.
An example of this powerful match extension would be:
# iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP
Firewall questions about state and policy?
So, to answer the question, conntrack is for use with the conntrack toolkit and supersedes state in this regard. It is better than state if you are planning on using the conntrack tool kit.
Connection tracking is on for traffic flows, it constantly tries to match flows to rules.
The answer that follows for question 2 is, yes, use conntrack
To answer question 3, which case? The answer for state is in the definition above.
The answer to 4 is, conntrack is for use with the conntrack toolkit, and state, for not using the toolkit. Yes, you can use conntrack at no penalty over using state with your example.
Best Answer
Connection tracking is an on/off switch, you cannot selectively disable it for some kind of traffic. You should increase the number of connections tracked via varius nf_conntrack_max options under
/proc/sys/net
. You can also consider enabling syncookies to reduce congestion effects.Edit: It seems that iptables with
-j NOTRACK
allows you to disable connection tracking selectively.