## SSH
# Allow ssh outbound.
iptables -A INPUT -i $IFACE -p tcp –dport 22 -m state –state NEW -j ACCEPT #allow ssh in
iptables -A INPUT -i $IFACE -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

Shell script for setting up stateful firewall based on iptables.

Suitable for personal use.
Protects your computer from outside world attacks.
Handling packets based on connection state (ESTABLISHED, RELATED).
OS Linux

Shell script entry:
#!/bin/sh
#…

Make sure you have a double dash in front of state “–”.

You cannot load additional modules unless you have root access. (generally true for a virtual machine, but not a virtual host)

Stateful packet inspection uses more memory than simple flag inspection, but is far more advanced. For example, a spoofed SYN,ACK packet looks like a response to ACK, therefore a stateless firewall considers that as ESTABLISHED (anything w/ACK is), while the stateful firewall correctly determines that it is not part of any existing connection. There is no way to get true state matching without connection tracking.

i am studying the script above, but find that my VPS hosting does not support “state” module ,
i.e. script like
-m state –state ESTABLISHED -j ACCEPT
will not work ( with error : ‘No chain/target/match by that name’ )
i am thinking of 2 solutions, may i have some hint for them?
1. i’ve downloaded latest version of iptables-1.3.7 , but may i know how to config and build so that i can add more modules ? and is it possible? (some said can’t change iptable once Linux was compiled)
2. i guess ,down to a lower level, state(s) are in the form of flags ( like SYN, ACK. )
would you mind telling us the flags pattern which have same meaning with
a: –state NEW
b: –state ESTABLISHED
c: –state RELATED