Manual UDP Connection Tracking

There are certain times when connection tracking doesn't track the state of UDP connections very well.. This can occur especially when the initial outgoing packet is a broadcast packet and the incomming packet is from a particular host. I've found a simple way to allow tracking of such packets using a combination of iptables and ipset.

During a netbios name lookup, a broadcast packet is sent to destination port 137. When the response is received, the source address is the address of the host with that name. Because the request's destination address does not match the response's source addres, the response packet is not considered an established or related connection. On a server that needs to also make outbound reqests, the rules below will not be enough.

iptables -A OUTPUT -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Using IP Sets for Manual UDP Tracking

The method I use to overcome the issue is to create an IP set, and for any new outgoing traffic, add the source IP and port to that set for a specific time. Then for any incoming traffic, I just check to see if that is in the set and if so, allow it as if it is related traffic.

ipset create udptracking hash:ip,port family ipv4 timeout 60

iptables -A OUTPUT -m addrtype --dst-type BROADCAST -j SET --add-set udptracking src,src --exist --timeout 30
iptables -A OUTPUT -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m set --match-set udptracking dst,dst -j ACCEPT