--state state

Where state is a comma separated list of the connection states to match.

Possible states are :

* INVALID meaning that the packet could not be identified for some
reason which includes running out of memory and ICMP errors which don't correspond
to any known connection.

* NEW meaning that the packet is the first packet seen for that
connection
i.e. Send new SYN

* ESTABLISHED meaning that packets have already been seen in both

directions and traffic will continue following the same manner
=> NEW state of packet sent by B to A as a response to a
packet sent from A to B is changed (in A) to ESTABLISHED once received by A

A(Req_1, State=NEW) -------------->

B(Req_1, State=NEW) (B firewall accepts NEW)

A(Resp_1, State=ESTABLISHED) <--------------

B(Resp_1, State=NEW) (A firewall accepts ESTABLISHED)
(A firewall changes state to ESTABLISHED)

A(Resp_2, State=ESTABLISHED) --------------->

B(Resp_2, State=ESTABLISHED)

* RELATED meaning that the packet is related to another connection that

is already ESTABLISHED.
=> We need an ESTABLISHED connection to have a RELATED one
=> Packet is seen as starting a new connection, but is
associated with an existing connection, such as an FTP data transfer, or an ICMP
error.
=> ICMP replies should always have state RELATED since they are
triggered by other existing connections

* UNTRACKED meaning that the packet is not tracked at all, which

happens if you use the NOTRACK target in raw table.

http://security.maruhn.com/iptables-tutorial/x6330.html

-m match : explicit match

i.e. -m state --state RELATED
-m conntrack --ctstate RELATED
-m pkttype --pkt-type unicast
-m comment --comment "A comment"
-m multiport --source-port 22,53,80,110