Alexander Dalloz wrote:
Just for the archives: though it is seen so often - just google for iptables scripts and you will find it - to use rules for protocol type UDP with -m state makes no sense. UDP is, in opposition to TCP, a stateless protocoll and this way does not know anything about NEW or ESTABLISHED or what else.
Untrue! Well, untrue that using -m state makes no sense with udp.
It's completely true that UDP is a 'stateless' protocol, but netfilter/iptables tracks your UDP traffic and assigns state to it.
See also the following wonderful reference for much more detail: http://iptables-tutorial.frozentux.net/iptables-tutorial.html#STATEMACHINE
As a concrete example, I turned off firewall_mods for ntp (a udp based protocol) and restarted with an ntp.conf file of only "server servername". The client -does- recieve the return udp packets, which means that they must be considered 'ESTABLISHED' by iptables (no other rule could match them).
17:20:34.273828 wallace.ntp > verdandi.internal.avlsi.com.ntp: [udp sum ok] v4
client strat 0 poll 6 prec -16 dist 0.000000 disp 0.002944 ref (unspec)@0.000000000 orig 3282686371.280867010 rec -0.006823999 xmt +62.992918014 (DF) [tos 0x10] (ttl 64, id 0, len 76)
17:20:34.273992 verdandi.internal.avlsi.com.ntp > wallace.ntp: [udp sum ok] v4
server strat 2 poll 6 prec -17 dist 0.005920 disp 0.057449 ref montpelier.ilan.caltech.edu@xxxxxxxxxxxxxxxxxxxx orig 3282686434.273784995 rec +0.010362999 xmt +0.010373000 (DF) [tos 0x10] (ttl 64, id 0, len 76)
