IP Tables State

Welcome to the IP Tables State homepage. IPTState is a top-like interface to your netfilter connection-tracking table.

Using iptstate you interactively watch where traffic crossing your netfilter/iptables firewall is going, sort by various criteria, limit the view by various criteria. But it doesn't stop there: as of version 2.2.0 you can even delete states from the table!

The only requirements are a curses library (usually ncurses), and libnetfilter_conntrack version 0.0.50 or later.

IPTState is now in the Debian, Redhat, Fedora Core, Mandrake, Gentoo, FloppyFW, and many other distributions you can find a list of.

Don't forget to check the wishlist for upcoming features, the Changelog file for new features, and the CONTRIB file for who's helped.


10/16/21 IPTState 2.2.7!
IPTState 2.2.7 is now out. It has some small fixes for compiler warnings.

08/14/16 IPTState 2.2.6!
IPTState 2.2.6 has just been released and includes a fix for a crash many users were seeing. IPTState will also now automatically turn on skipdns mode when lookup mode is turned on to prevent a cycle of adding DNS entries to the state table. Finally this also fixes a bug in -b handling. All users are encouraged to upgrade.

06/01/12 IPTState 2.2.5!
Less than 24 hours after the last release we have another one for you. This time we've improved our support for ICMP6. We now display the type and code, and we also support deleting such state. We've further improved the dynamic column sizing by not wasting a space for a non-existent colon for connections without ports as well dynamically sizing the "State" column. Finally, if we run into protocols we can't resolve to names, we now print the number instead of "unknown."

06/01/12 IPTState 2.2.4!
With World IPv6 Launch coming next week, it was time to put the final touches on the IPv6 support we added last year. 2.2.4 won't break formatting on long IPv6 address. Instead it will truncate them similarly to the way we truncate hostnames. However, we truncate address from the opposite wide, since network/host data are on opposite ends of hostnames vs. addresses.

04/03/11 IPTState 2.2.3!
It's been a long time... but 2.2.3 is out! We now have IPv6 support! There's also a slew of bugfixes and cleanups, so be sure to upgrade.

09/19/09 IPTState 2.2.2!
IPTState 2.2.2 is now available for download. This is a relatively minor release: the old backwards compatibility code is gone which means libnetfilter_conntrack is always required. There's also some output formatting bugfixes and some compile fixes for newer versions of gcc.

I've setup two mailing lists for IPTState: iptstate-devel for discussion and announcements and iptstate-commit for CVS commit messages. From now on announcements will always go to -devel, it should be low traffic, so join if you want to follow development.

The 2.2.1 CONTRIB file mentions Victor Forsyuk as the Ubuntu packager, but he is instead the Alt Linux packager.

03/18/07 Darnit...
A small formatting bug in 2.2.0 means a 2.2.1. Sorry...

03/18/07 Two notes on the new version
Two quick notes: if absolutely cannot get libnetfilter_conntrack on your system, see the Makefile comments for an easy way to compile without it. This method is DEPRECATED and will removed in future versions.

Also - in the current version of libnetfilter_conntrack 0.0.50 there is a bug that prevents iptstate from deleting ICMP states. I wrote a patch which you can find here that fixes it. This patch has already been acceptd and applied by the netfilter folks.

03/18/07 IPTState 2.2.0!
IPTState 2.2.0 is out! This new version sees the backend ported to the libnetfilter_conntrack libraries instead of reading out of /proc. This has many advantages including less load on the netfilter kernel subsystem, and not being racy on SMP systems.

In addition it allows for new features such seeing per-state byte and packet counts and even deleting states from the connection table! That's right, play BOFH by simply hitting 'x'!

Other features include port-name lookup, ICMP IDs being printed, improved scrolling support, 'B' to sort by the previous column, and better support for more than 32767 state-table entries. Check out the Changelog for the full list.

10/07/06 Site Redesign
To go along with the release of our new 2.x branch, I thought a sight redesign was in order. It's valid XHTML1.1 and CSS2 (with one small validation error on the xhtml that'll get fixed in the near future).

10/05/06 IPTState 2.1!
Oooops! There was a bug in the option handling and --src-filter was switched with --srcpt-filter and same thing with --dst-filter and --dstpt-filter. This is now fixed.

10/04/06 IPTState 2.0!
I've released iptstate 2.0, and it has a slew of new features including but not limtied to:

The code was also almost completely refactored, made more efficient, and lots of bugs were fixed as well. This was originally going to be called 1.5, but so much has changed, I decided to go with 2.0. Enjoy!

04/23/05 Some stats for you
My webserver received 391 download requests for iptstate-1.4.tar.bz2 on the first two days of release (April 17th and 18th) of the new version. As you can see on your right, IPTState is also in increasingly more linux distros, and of course is mirrored across source forge - each of which account for many more downloads. I'd provide SF stats, but their stats appear to be broken. Thanks for all the support!

04/17/05 A note about IPTState
Harald Welte over at the Netfilter project asked me to inform my users that because iptstate reads /proc/net/ip_conntrack, it may be unreliable on SMP systems and can have a big impact on the performance of your firewall. I'll quote him in saying, "Feel free to blame the netfilter/iptables developers, since it's our fault to offer such a broken interface in the first place." The alternative interface, ctnetlink, is not widely available yet, so iptstate has no other options at this time. When it becomes an option, I will explore it. Harald let me know about this a while ago, and it was supposed to go in the documentation for 1.4, but I forgot about it until after I released it, so I'm posting it here.

04/16/05 New screenshots
To go with the new release, there are now new screenshots.

04/16/05 IPTState 1.4 released!
I have released IPTState 1.4! It has lots of new features like filtering on IP address, marking truncated names, add filter of DNS entries to make name-resolution mode cleaner, and various source and documentation cleanups. Check the changelog for details.

05/29/03 Do you use IPTState?
If you use IPTState, I'd like to know. Drop me an email (preferably with "iptstate" somewhere in the subject). I may not respond to everyone, but I'd like to get an idea of how many people use this. Also please include the size of the site your using it at (home office, small business, major ISP, etc.). Thanks!

05/28/03 IPTState 1.3!
It's here! Enjoy. Be sure to check the changelog!

05/21/03 Oops
The next version is ready but I'm in the process of moving so most of my machines are in boxes, you will see it soon.

04/27/03 Alive and Well
For those that are wondering, and/or worried, iptstate is alive and well. I spent a long time tonight working on version 1.2.2, and there's some very cool things in it. Features are fairly stable at this point, I have a few bug fixes to add, some docs to update, and some testing to do, and then you guys will have it! I do have a new job, so time isn't something I have a ton of right now, but I promise you will have 1.2.2 soon.

10/28/02 Memory Leak - SOLVED!
Check out this page for information on the infamous memory leak...

07/01/02 1.2.1 Released / Screenshot
IPTState 1.2.1 is officially released. Nothing major, just a few small updates. Check the changelog. I also added a screenshot to the website.

05/03/02 Sourceforge
I have opened an account at SourceForge for IPTState. Over the next few months I may migrate this site over there - or I may use both, I haven't decided. In the meantime, the project is listed and downloadable from there so at least SourceForge users can find the project.

05/02/02 See NOTES (below)
See the NOTES section (this page, below) on a common compile problem.

04/20/02 Version 1.2.0 released - UPDATE
There was a small bug in the Makefile, I accidentally erased a line. It may not affect you, if you get 'g not found' or something to that effect, re-download 1.2.0.

04/20/02 Version 1.2.0 released
There is a PLETHORA of new features. Check the Changelog!

04/05/02 Online Wishlist
I've added a wishlist which details what's in the next feature and what I plan and don't plan on adding to IPTState. It's an updated version of the WISHliST file in the latest tarball. It will also you let you know what to not bother writing patches for. =)

04/04/02 Stuff not to send patches for
Hey everyone... the following things I've already written (or mostly written) for the next version and so don't waste your time writing patches: proper IP sorting, sorting by port, adding totals/statistics, dns lookups.

03/30/02 Note to those thinking of packaging IPTState
Thinking about/planning to/already package and/or submit IPTState to a particular Linux distribution? PLEASE CONTACT ME FIRST.

03/30/02 Version 1.1.0 released
Lots of new features and bug fixes. Check the Changelog for details. Please check all new documentation as well.

02/27/02 Version 1.0.1 is here
Check the Changelog for all the updates. This should eliminate all compile errors.

02/23/02 Version 1.0 released. Website opens.


This page is © Phil Dibowitz 2001 - 2011