From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A56D11381FB for ; Thu, 27 Dec 2012 00:50:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7E9CE21C113; Thu, 27 Dec 2012 00:50:03 +0000 (UTC) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.182]) by pigeon.gentoo.org (Postfix) with ESMTP id C162021C0E9 for ; Thu, 27 Dec 2012 00:47:41 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgoKAG6Zu09FxIky/2dsb2JhbABEsnYDgRiBCIJWHHImJSQTiA6YUqE3i2KEAGIDiEKEfIdchV+IOoFYgwc X-IronPort-AV: E=Sophos;i="4.75,637,1330923600"; d="scan'208";a="210733641" Received: from 69-196-137-50.dsl.teksavvy.com (HELO waltdnes.org) ([69.196.137.50]) by ironport2-out.teksavvy.com with SMTP; 26 Dec 2012 19:47:40 -0500 Received: by waltdnes.org (sSMTP sendmail emulation); Wed, 26 Dec 2012 19:47:32 -0500 From: "Walter Dnes" Date: Wed, 26 Dec 2012 19:47:32 -0500 To: Gentoo Users List Subject: [gentoo-user] IPTABLES syntax change? Message-ID: <20121227004732.GB5854@waltdnes.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: 8af9e6d5-0959-477d-8e80-bbad0d5f7e59 X-Archives-Hash: 07fdd8bd2405193780965d4b164933a4 Many years ago, I understood IPCHAINS, and the first versions of IPTABLES. However, IPTABLES has followed the example of Larry Wall's Practical Extraction and Reporting Language and turned into a pseudo-OS that I barely comprehend. Some rules that I added many years ago were designed to reject unsolicited connection attempts (after whitelisting my small LAN)... -A ICMP_IN -p icmp -m state -j UNSOLICITED -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED -A UDP_IN -p udp -m state -j UNSOLICITED Now these all give me the error message... WARNING: The state match is obsolete. Use conntrack instead. iptables-restore v1.4.16.3: state: option "--state" must be specified "man iptables" suggested "man iptables-extensions". As near as I can tell, the "new and improved" way is... -A ICMP_IN -p icmp -m conntrack --ctstate INVALID -j UNSOLICITED -A TCP_IN -p tcp -m conntrack --ctstate INVALID -m tcp -j UNSOLICITED -A UDP_IN -p udp -m conntrack --ctstate INVALID -j UNSOLICITED This appears to work, i.e. it doesn't cause iptables to fail. Does this do what I think it does (reject unsolicited connections)? The reason that I'm asking is because I'm simply not sure. -- Walter Dnes I don't run "desktop environments"; I run useful applications