I went through several compiles trying to get a Kernel to compile with support for iptables that supported the -state argument. I eventually came up with the right combination, which included both the ‘state’ match support and IPv4 connection tracking support
Here’s where they are in menuconfig:
Networking Support ->
Networking Options ->
Network Packet Filtering Framework (Netfilter) ->
IP: Netfilter Configuration ->
IPv4 connection tracking support (required for NAT) = M
Core Netfilter Configuration ->
“state” Match support = M
(also most everything else on this page is selected as well)
After exiting menuconfig, you can make sure that those two options are correct in your .config by looking for CONFIG_NETFILTER_XT_MATCH_STATE and CONFIG_NF_CONNTRACK_IPV4.