package: uruk
tags: confirmed
Thanks for this very nice patch. Wish all donated patches fixed documentation
too...
Will apply soonish.
Greetings from Cambridge,
Joost
--- Begin Message ---
The iptables 'state' module has been obsoleted and produces warnings in
current Debian sid. The modern form to express this is with the 'conntrack'
module. Change uruk's iptables commands to make use of the newer syntax.
As according to the README uruk already depended on the conntrack module
being present, this introduces no higher minimum iptables version. The
change has been tested against Debian Lenny, Squeeze, Wheezy and Sid.
---
uruk/README | 4 ----
uruk/man/uruk.azm | 6 +++---
uruk/script/uruk | 10 +++++-----
3 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/uruk/README b/uruk/README
index 436561a..ce0bfd6 100644
--- a/uruk/README
+++ b/uruk/README
@@ -18,11 +18,7 @@ settings are
CONFIG_IP_NF_IPTABLES ip_tables.o (``IP tables support'')
CONFIG_IP_NF_TARGET_LOG ipt_LOG.o (``LOG target support'')
- CONFIG_IP_NF_MATCH_STATE ipt_state.o (``Connection state match support'')
CONFIG_IP_NF_TARGET_REJECT ipt_REJECT.o (``REJECT target support'')
-
-for CONFIG_IP_NF_MATCH_STATE, you need
-
CONFIG_IP_NF_CONNTRACK (``Connection tracking'')
. Furthermore, you need the iptables(8) command, as shipped with the iptables
diff --git a/uruk/man/uruk.azm b/uruk/man/uruk.azm
index 56afb96..3526868 100644
--- a/uruk/man/uruk.azm
+++ b/uruk/man/uruk.azm
@@ -185,7 +185,7 @@ course, take a look at \tt{\sbinpath/uruk} for the final
word on the workings.
files matching $rc_a/*.rc are sourced as shell scripts
\item ESTABLISHED and RELATED packets are ACCEPT-ed:
\verbatim{\
- $iptables -A INPUT -m state --state ESTABLISHED,RELATED \\
+ $iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \\
-j ACCEPT}
\item $rc_b is sourced
\item $interfaces gets protected against spoofing: we don't allow anyone to
@@ -202,12 +202,12 @@ course, take a look at \tt{\sbinpath/uruk} for the final
word on the workings.
-j DROP}
And we always allow outgoing connections:
\verbatim{\
- $iptables -A OUTPUT -m state --state NEW -o $iface \\
+ $iptables -A OUTPUT -m conntrack --ctstate NEW -o $iface \\
-j ACCEPT}
\item $rc_c is sourced
\item Allow traffic to offered services, from trusted sources:
\verbatim{\
- $iptables -A INPUT -m state --state NEW \\
+ $iptables -A INPUT -m conntrack --ctstate NEW \\
-i $iface --protocol $proto --source "$source" \\
--destination "$ip" --destination-port "$port" \\
-j ACCEPT}
diff --git a/uruk/script/uruk b/uruk/script/uruk
index e811189..32d0043 100644
--- a/uruk/script/uruk
+++ b/uruk/script/uruk
@@ -130,8 +130,8 @@ then
uruk6_log
fi
-$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-$ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+$iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+$ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# workaround bug(?) in linux kernel, see also
#
http://serverfault.com/questions/309691/why-is-our-firewall-ubuntu-8-04-rejecting-the-final-packet-fin-ack-psh-wit
@@ -235,7 +235,7 @@ do
done
# Always allow outgoing connections
- $iptables -A OUTPUT -m state --state NEW -o $iface -j ACCEPT
+ $iptables -A OUTPUT -m conntrack --ctstate NEW -o $iface -j ACCEPT
done
uruk_hook "$rc_c"
@@ -292,7 +292,7 @@ do
for source in $sources
do
# source is e.g. 10.56.0.10/32
- $iptables -A INPUT -m state --state NEW \
+ $iptables -A INPUT -m conntrack --ctstate
NEW \
-i $iface --protocol $proto \
--source "$source" --destination "$ip" \
--destination-port "$port" -j ACCEPT
@@ -300,7 +300,7 @@ do
fi
for source6 in $sources6
do
- $ip6tables -A INPUT -m state --state NEW \
+ $ip6tables -A INPUT -m conntrack --ctstate NEW
\
-i $iface --protocol $proto \
--source "$source6" --destination "$ip6" \
--destination-port "$port" -j ACCEPT
--
1.7.10.4
--- End Message ---