简介

        前面文章我们已经介绍了一些扩展模块，如iprange、string、time、connlimit、limit，还有扩展匹配条件如--tcp-flags、icmp。这篇文章我们介绍state扩展模块

 state

         在 iptables 的上下文中，--state 选项并不是直接关联于一个扩展模块，而是与 iptables 的 state 匹配机制相关，特别是在处理 ICMP（Internet Control Message Protocol）或 TCP（Transmission Control Protocol）和 UDP（User Datagram Protocol）流量的时候。    

        state模块的报文可以分为5种状态，报文状态可以为NEW、ESTABLISHED、RELATED、INVALID、UNTRACKED。

NEW：连接中的第一个包，状态就是NEW，我们可以理解为新连接的第一个包的状态为NEW。The NEW state tells us that the packet is the first packet that we see. This means 
that the first packet that the conntrack module sees, within a specific connection, will 
be matched. For example, if we see a SYN packet and it is the first packet in a 
connection that we see, it will match. However, the packet may as well not be a SYN 
packet and still be considered NEW. This may lead to certain problems in some instances,but it may also be extremely helpful when we need to pick up lost connections from other 
firewalls, or when a connection has already timed out, but in reality is not closed. NEW 状态告诉我们这个数据包是我们看到的第一个数据包。这意味着在特定的连接中，conntrack 模
块看到的第一个数据包将被匹配。例如，如果我们看到一个 SYN 数据包，并且它是我们在连接中看到的第一
个数据包，它就会被匹配。但是，数据包也可能不是 SYN 数据包而仍然被认为是 NEW。这在某些情况下可
能会导致某些问题，但在我们需要从其他防火墙恢复丢失的连接，或者连接已经超时但实际上并未关闭时，
这也可能非常有用。ESTABLISHED：一个已建立的连接（已接收其开始和结束的数据包）表示连接已建立。The ESTABLISHED state has seen traffic in both directions and will then 
continuously match those packets. ESTABLISHED connections are fairly easy to understand. 
The only requirement to get into an ESTABLISHED state is that one host sends a packet, 
and that it later on gets a reply from the other host. The NEW state will upon receipt of 
the reply packet to or through the firewall change to the ESTABLISHED state. ICMP replymessages can also be considered as ESTABLISHED, if we created a packet that in turn 
generated the reply ICMP message. ESTABLISHED 状态表示已经在两个方向上看到了流量，并且之后将持续匹配这些数据包。
ESTABLISHED 连接相对容易理解。进入