can someone please explain the difference between the two connection states?
MT states:
NEW - The NEW state tells us that the packet is the first packet that we see. This means that the first packet that the conntrack module sees, within a specific connection, will be matched. For example, if we see an SYN packet and it is the first packet in a connection that we see, it will match;
INVALID - The INVALID state means that the packet can't be identified or that it does not have any state. It is suggested to DROP everything in this state;
If a packets enters from WAN-side to the Input-Chain. How can the router determine/decide the packet is INVALID vs. NEW?
For the router, the invalid packet is new at the same time (new, does not belong to an already connection and invalid because it cant be identified -> because its new).