@@ -422,7 +422,7 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro

 		// Filter table rules to allow a published service to be accessible in the local node from..

 		// 1) service tasks attached to other networks

 		// 2) unmanaged containers on bridge networks

-		rule := []string{addDelOpt, ingressChain, "-m", "state", "-p", protocol, "--sport", publishedPort, "--state", "ESTABLISHED,RELATED", "-j", "ACCEPT"}

+		rule := []string{addDelOpt, ingressChain, "-p", protocol, "--sport", publishedPort, "-m", "conntrack", "--ctstate", "ESTABLISHED,RELATED", "-j", "ACCEPT"}

 		if portErr = iptable.RawCombinedOutput(rule...); portErr != nil {

 			err := fmt.Errorf("set up rule failed, %v: %v", rule, portErr)

 			if !isDelete {

@@ -430,7 +430,7 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro

 			}

 			log.G(context.TODO()).Warn(err)

 		}

-		rollbackRule := []string{rollbackAddDelOpt, ingressChain, "-m", "state", "-p", protocol, "--sport", publishedPort, "--state", "ESTABLISHED,RELATED", "-j", "ACCEPT"}

+		rollbackRule := []string{rollbackAddDelOpt, ingressChain, "-p", protocol, "--sport", publishedPort, "-m", "conntrack", "--ctstate", "ESTABLISHED,RELATED", "-j", "ACCEPT"}

 		rollbackRules = append(rollbackRules, rollbackRule)

 		rule = []string{addDelOpt, ingressChain, "-p", protocol, "--dport", publishedPort, "-j", "ACCEPT"}