It altered the conntrack entry to have reply dst=193.157.56.3, and told netfilter "I changed something", that's most of it. Everything else (including the source ip alteration) is handled by conntrack (modules nf_conntrack, nf_conntrack_ipv4) and nat (modules nf_nat, nf_nat_ipv4 and maybe a few more here), not by iptables.

The conntrack-tools are a set of free software tools for GNU/Linux that allow system administrators interact, from user-space, with the in-kernel Connection Tracking System, which is the module that enables stateful packet inspection for iptables. Probably, you did not hear about this module so far. Hence this is tied to usage - rules referencing conntrack must exist in the namespace's iptables for conntrack to be active inside the container. As a side note, containers triggering host to load kernel modules is an interesting subject. Aug 10, 2015 · Iptables is the software firewall that is included with most Linux distributions by default. This cheat sheet-style guide provides a quick reference to iptables commands that will create firewall rules are useful in common, everyday scenarios.

iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP. This rule blocks all packets that are not a SYN packet and don’t belong to an established TCP connection. Block New Packets That Are Not SYN iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

Hence this is tied to usage - rules referencing conntrack must exist in the namespace's iptables for conntrack to be active inside the container. As a side note, containers triggering host to load kernel modules is an interesting subject. Aug 10, 2015 · Iptables is the software firewall that is included with most Linux distributions by default. This cheat sheet-style guide provides a quick reference to iptables commands that will create firewall rules are useful in common, everyday scenarios. Conntrack supersedes state, but in modern kernels there is now no difference between the two. State is currently aliased and translated to conntrack in iptables if the kernel has it, so the syntax -m state --state is actually translated into -m conntrack --ctstate and handled by the same module.

7.2. The conntrack entries. Let's take a brief look at a conntrack entry and how to read them in /proc/net/ip_conntrack. This gives a list of all the current entries in your conntrack database. If you have the ip_conntrack module loaded, a cat of /proc/net/ip_conntrack might look like:

It altered the conntrack entry to have reply dst=193.157.56.3, and told netfilter "I changed something", that's most of it. Everything else (including the source ip alteration) is handled by conntrack (modules nf_conntrack, nf_conntrack_ipv4) and nat (modules nf_nat, nf_nat_ipv4 and maybe a few more here), not by iptables.