This module, when combined with connection tracking, allows access to
more connection tracking information than the "state" match.
(this module is present only if iptables was compiled under a kernel
supporting this feature)
.TP
.BI "--ctstate " "state"
Where state is a comma separated list of the connection states to
match.  Possible states are
.B INVALID
meaning that the packet is associated with no known connection,
.B ESTABLISHED
meaning that the packet is associated with a connection which has seen
packets in both directions,
.B NEW
meaning that the packet has started a new connection, or otherwise
associated with a connection which has not seen packets in both
directions, and
.B RELATED
meaning that the packet is starting a new connection, but is
associated with an existing connection, such as an FTP data transfer,
or an ICMP error.
.B SNAT
A virtual state, matching if the original source address differs from
the reply destination.
.B DNAT
A virtual state, matching if the original destination differs from the
reply source.
.TP
.BI "--ctproto " "proto"
Protocol to match (by number or name)
.TP
.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
Match against original source address
.TP
.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
Match against original destination address
.TP
.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
Match against reply source address
.TP
.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
Match against reply destination address
.TP
.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
Match against internal conntrack states
.TP
.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
Match remaining lifetime in seconds against given value
or range of values (inclusive)