From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 91C431381FB for ; Thu, 27 Dec 2012 01:45:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 37F1621C110; Thu, 27 Dec 2012 01:44:59 +0000 (UTC) Received: from mail2.viabit.com (mail2.viabit.com [65.246.80.16]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EF4A621C0D4 for ; Thu, 27 Dec 2012 01:43:45 +0000 (UTC) Received: from [172.17.29.6] (vpn1.metro-data.com [65.213.236.242]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail2.viabit.com (Postfix) with ESMTPSA id 3YWv3527cBz1hfL for ; Wed, 26 Dec 2012 20:43:45 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=orlitzky.com; s=mail2; t=1356572625; bh=uMk7/koDo7Xlrf7Mt6oxH24kkVjtWQ4khhLQMyy6j7Q=; h=Date:From:To:Subject:References:In-Reply-To; b=r7UkI+APhZrCAbZC17Y+6jRPYjjUHaeeH+2Avzs6GRpKJHg9bdZQ/GlfxAeaYo1eq /lFMH2YTk6lWRgNFHXnGoOWf21ssa/cfoxsD9n3h6ugYP3xCVOrUBxJj32PVI5OCeI AijCZ8vcpt7Fy95bRE9v09rkgAVGsWW8DjJSSbHg= Message-ID: <50DBA7D0.4060800@orlitzky.com> Date: Wed, 26 Dec 2012 20:43:44 -0500 From: Michael Orlitzky User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.10) Gecko/20121104 Thunderbird/10.0.10 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPTABLES syntax change? References: <20121227004732.GB5854@waltdnes.org> In-Reply-To: <20121227004732.GB5854@waltdnes.org> X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: dcd96835-282a-42fd-8d91-1ccad5c8bc94 X-Archives-Hash: ab666c46a8b3a771dd4cf12672653001 On 12/26/2012 07:47 PM, Walter Dnes wrote: > Many years ago, I understood IPCHAINS, and the first versions of > IPTABLES. However, IPTABLES has followed the example of Larry Wall's > Practical Extraction and Reporting Language > and turned into a pseudo-OS that I barely comprehend. Some rules > that I added many years ago were designed to reject unsolicited > connection attempts (after whitelisting my small LAN)... > > -A ICMP_IN -p icmp -m state -j UNSOLICITED > -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED > -A UDP_IN -p udp -m state -j UNSOLICITED > > Now these all give me the error message... > > WARNING: The state match is obsolete. Use conntrack instead. > iptables-restore v1.4.16.3: state: option "--state" must be specified > The 'conntrack' module is supposed to be a superset of 'state', so most things should be compatible. You really have two warnings there; the first is for the state -> conntrack switch, and the second is because you're missing the --state flag in your rules. In your example, you turn on the state matching, iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED but you don't specify *which* state(s) you want to match. It wants you to specify --state SOMETHING. I'd guess that it used to interpret "no state" as "any state." You said that you whitelisted your LAN prior to that rule, so you're probably just rejecting every {ICMP, TCP, UDP} packet with those three rules. If so, the equivalent rules are just, iptables -A ICMP_IN -p icmp -j DROP iptables -A TCP_IN -p tcp -j DROP iptables -A UDP_IN -p udp -j DROP In other words, you only really need the connection tracking to /accept/ related connections. You don't want to deny related or established connections, usually. And once you have accepted those two types, you can just reject the rest, because they're necessarily new (or in rare cases, "invalid"). I would be wary of this: -A ICMP_IN -p icmp -m conntrack --ctstate INVALID -j UNSOLICITED since if the old rule works like I think it does (reject everything) the new one might allow some things that the old one didn't.