On 12/27/2012 06:11 PM, Walter Dnes wrote: > On Thu, Dec 27, 2012 at 11:28:15AM +0000, Graham Murray wrote > >> The problem is not really the OP's fault. The problem is that if you >> have tables with the form "-m state --state XXX" at the point you >> upgrade, iptables-save (quite possibly called automatically by >> /etc/init.d/iptables stop) will save it as "-m state --state" - ie >> 'forgetting' which state(s) the rule applies to. > > Thanks for pointing that out. I looked back at an archived version, > and it had stuff like... > > -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED > -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED > -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED > > I.e. new external connection attempts were rejected, except for my > lan which bypasses this rule so I can scp/ssh etc between my machines. > No wonder I was puzzled by what I saw. >
Ah, yes, the original problem. Once you've upgraded, you should be able to add all of your old --state rules normally, albeit with a warning. The new iptables will translate them to conntrack rules, and you can `/etc/init.d/iptables save` the result. The upgrade just fails in a horrible way.
