As far as I can tell - ESTABLISHED - is only for session based protocols like TCP . You will not see that for UDP or ICMP , as far as CONNTRACK is concerned . IN the ruleset it will fall under the STATE of ESTABLISHED , as IPTABLES understands that this is direct return traffic . However , like UDP it has no real "IP state" outside of IPTABLES and my guess this is why it not refered to in that state in CONNTRACK . Best regards André Paulsberg-Csibi Senior Network Engineer IBM Services AS -----Original Message----- From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Oliver O'Boyle Sent: Tuesday, January 2, 2018 10:05 PM To: netfilter@xxxxxxxxxxxxxxx Subject: conntrack and ICMP echo replies not showing as ESTABLISHED Hi, Running on Ubuntu 16.04LTS with a fairly basic iptables config (see below). I'm sure I'm missing something obvious but I am not seeing echo replies showing as ESTABLISHED when running: sudo conntrack -E I see this: [NEW] icmp 1 30 src=192.168.144.164 dst=192.168.144.254 type=8 code=0 id=1 [UNREPLIED] src=192.168.144.254 dst=192.168.144.164 type=0 code=0 id=1 [UPDATE] icmp 1 30 src=192.168.144.164 dst=192.168.144.254 type=8 code=0 id=1 src=192.168.144.254 dst=192.168.144.164 type=0 code=0 id=1 But I expected to see something more like line 3 where it shows the connection is ESTABLISHED: [NEW] tcp 6 120 SYN_SENT src=192.168.144.164 dst=52.12.252.111 sport=10032 dport=443 [UNREPLIED] src=52.72.252.111 dst=216.46.2.101 sport=443 dport=10032 [UPDATE] tcp 6 60 SYN_RECV src=192.168.144.164 dst=52.12.252.111 sport=10032 dport=443 src=52.72.252.111 dst=216.46.2.101 sport=443 dport=10032 [UPDATE] tcp 6 432000 ESTABLISHED src=192.168.144.164 dst=52.12.252.111 sport=10032 dport=443 src=52.72.252.111 dst=216.46.2.101 sport=443 dport=10032 [ASSURED] I'm new to netfilter/iptables so I may be missing something or may just be expecting something that doesn't happen. Can someone point me in the right direction, please? Thanks for the help! O. FILTER TABLE: Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 162 9900 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 2 0 0 ACCEPT all -- lo any anywhere anywhere ctstate NEW 3 2 120 ACCEPT icmp -- any any anywhere anywhere ctstate NEW 4 0 0 ACCEPT tcp -- ens192 any anywhere anywhere tcp dpt:ssh 5 51 4426 LOG all -- any any anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " 6 1986 226K DROP all -- any any anywhere anywhere Chain FORWARD (policy ACCEPT 2 packets, 80 bytes) num pkts bytes target prot opt in out source destination 1 3359 1788K ACCEPT all -- ens160 ens192 anywhere anywhere ctstate RELATED,ESTABLISHED 2 4887 896K ACCEPT all -- ens192 ens160 anywhere anywhere ctstate NEW,RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT 214 packets, 41776 bytes) num pkts bytes target prot opt in out source destination 1 13 780 ACCEPT icmp -- any any anywhere anywhere ctstate NEW,RELATED,ESTABLISHED NAT TABLE: Chain PREROUTING (policy ACCEPT 2587 packets, 269K bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 2 packets, 120 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 429 22583 MASQUERADE all -- any ens160 anywhere anywhere -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvger.kernel.org%2Fmajordomo-info.html&data=02%7C01%7C%7Ccb9c5741e81048a958b508d55224923c%7C40cc2915e2834a2794716bdd7ca4c6e1%7C1%7C0%7C636505239381260666&sdata=OcUhnFtFPurBJphvLKbaxe5fVENe5Fs8eSxUtbfKGuY%3D&reserved=0 ��.n��������+%������w��{.n����z���)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥