Understanding Connection States in Networking: NEW, ESTABLISHED, and RELATED with Context IPTables, TCP, and FTP
packetware logo
A

Lead Engineer @ Packetware

Understanding Connection States in Networking: NEW, ESTABLISHED, and RELATED with Context IPTables, TCP, and FTP

TCP (Transmission Control Protocol) is a fundamental component of internet communication, providing reliable and ordered data delivery between devices. Within TCP headers, specific flags hold crucial information about the connection's state. Three flags are particularly relevant: SYN (Synchronize), ACK (Acknowledgment), and RST (Reset).

NEW Connection:

A "NEW" connection state signifies the initiation of a new communication session. This is typically the starting point of the TCP three-way handshake, where a client requests to establish a connection with a server. In the TCP header, a packet is considered "NEW" if it has the SYN flag set and lacks the ACK flag. This flag combination indicates the client's intent to establish a new connection.

ESTABLISHED Connection:

An "ESTABLISHED" connection state indicates that the connection has been successfully established between two parties. In this state, both the client and server acknowledge each other's communication. The TCP header of an "ESTABLISHED" connection will have both the SYN and ACK flags set, confirming the connection establishment.

RELATED Connection:

A "RELATED" connection state is broader, encompassing connections that are related to existing ones, even if they don't strictly adhere to the three-way handshake process. This state is particularly useful for protocols like FTP (File Transfer Protocol), which involve multiple connections—a control connection and data connections. In such cases, the "RELATED" state accounts for the interdependent connections.

Integration of Connection States in FTP

IPTables, a powerful firewall tool in Linux, employs stateful packet inspection to manage network traffic. It relies on connection states to make intelligent decisions about packet filtering and forwarding. The integration of connection states becomes especially significant when dealing with complex protocols like FTP.

Consider an FTP session, which involves a control connection for commands and a dynamic data connection for file transfers. Here's how IPTables integrates connection states for FTP:

Control Connection (NEW/ESTABLISHED):

  • The initial packet from the client to the FTP server has the SYN flag set and the ACK flag unset. IPTables identifies this packet as a "NEW" connection attempt.
  • Upon receiving the server's acknowledgment (SYN-ACK), the client sends an ACK packet to confirm the connection. IPTables recognizes this as part of the "ESTABLISHED" state.

Data Connection (RELATED):

  • FTP dynamically creates data connections for file transfers. These connections don't follow the typical three-way handshake.
  • IPTables, using the "RELATED" state, identifies these data connections as related to the "ESTABLISHED" control connection.
  • This allows IPTables to permit the data connections while maintaining security, as they're linked to an existing "ESTABLISHED" control connection.