On 12/26/2012 07:47 PM, Walter Dnes wrote:
> Many years ago, I understood IPCHAINS, and the first versions of
> IPTABLES. However, IPTABLES has followed the example of Larry Wall's
> Practical Extraction and Reporting Language
> and turned into a pseudo-OS that I barely comprehend. Some rules
> that I added many years ago were designed to reject unsolicited
> connection attempts (after whitelisting my small LAN)...
>
> -A ICMP_IN -p icmp -m state -j UNSOLICITED
> -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED
> -A UDP_IN -p udp -m state -j UNSOLICITED
>
> Now these all give me the error message...
>
> WARNING: The state match is obsolete. Use conntrack instead.
> iptables-restore v1.4.16.3: state: option "--state" must be specified
>
The 'conntrack' module is supposed to be a superset of 'state', so most
things should be compatible. You really have two warnings there; the
first is for the state -> conntrack switch, and the second is because
you're missing the --state flag in your rules.
In your example, you turn on the state matching,
iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED
but you don't specify *which* state(s) you want to match. It wants you
to specify --state SOMETHING. I'd guess that it used to interpret "no
state" as "any state."
You said that you whitelisted your LAN prior to that rule, so you're
probably just rejecting every {ICMP, TCP, UDP} packet with those three
rules.
If so, the equivalent rules are just,
iptables -A ICMP_IN -p icmp -j DROP
iptables -A TCP_IN -p tcp -j DROP
iptables -A UDP_IN -p udp -j DROP
In other words, you only really need the connection tracking to /accept/
related connections. You don't want to deny related or established
connections, usually. And once you have accepted those two types, you
can just reject the rest, because they're necessarily new (or in rare
cases, "invalid").
I would be wary of this:
-A ICMP_IN -p icmp -m conntrack --ctstate INVALID -j UNSOLICITED
since if the old rule works like I think it does (reject everything) the
new one might allow some things that the old one didn't.
