package: uruk tags: confirmed Thanks for this very nice patch. Wish all donated patches fixed documentation too...
Will apply soonish. Greetings from Cambridge, Joost
--- Begin Message ---The iptables 'state' module has been obsoleted and produces warnings in current Debian sid. The modern form to express this is with the 'conntrack' module. Change uruk's iptables commands to make use of the newer syntax. As according to the README uruk already depended on the conntrack module being present, this introduces no higher minimum iptables version. The change has been tested against Debian Lenny, Squeeze, Wheezy and Sid. --- uruk/README | 4 ---- uruk/man/uruk.azm | 6 +++--- uruk/script/uruk | 10 +++++----- 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/uruk/README b/uruk/README index 436561a..ce0bfd6 100644 --- a/uruk/README +++ b/uruk/README @@ -18,11 +18,7 @@ settings are CONFIG_IP_NF_IPTABLES ip_tables.o (``IP tables support'') CONFIG_IP_NF_TARGET_LOG ipt_LOG.o (``LOG target support'') - CONFIG_IP_NF_MATCH_STATE ipt_state.o (``Connection state match support'') CONFIG_IP_NF_TARGET_REJECT ipt_REJECT.o (``REJECT target support'') - -for CONFIG_IP_NF_MATCH_STATE, you need - CONFIG_IP_NF_CONNTRACK (``Connection tracking'') . Furthermore, you need the iptables(8) command, as shipped with the iptables diff --git a/uruk/man/uruk.azm b/uruk/man/uruk.azm index 56afb96..3526868 100644 --- a/uruk/man/uruk.azm +++ b/uruk/man/uruk.azm @@ -185,7 +185,7 @@ course, take a look at \tt{\sbinpath/uruk} for the final word on the workings. files matching $rc_a/*.rc are sourced as shell scripts \item ESTABLISHED and RELATED packets are ACCEPT-ed: \verbatim{\ - $iptables -A INPUT -m state --state ESTABLISHED,RELATED \\ + $iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \\ -j ACCEPT} \item $rc_b is sourced \item $interfaces gets protected against spoofing: we don't allow anyone to @@ -202,12 +202,12 @@ course, take a look at \tt{\sbinpath/uruk} for the final word on the workings. -j DROP} And we always allow outgoing connections: \verbatim{\ - $iptables -A OUTPUT -m state --state NEW -o $iface \\ + $iptables -A OUTPUT -m conntrack --ctstate NEW -o $iface \\ -j ACCEPT} \item $rc_c is sourced \item Allow traffic to offered services, from trusted sources: \verbatim{\ - $iptables -A INPUT -m state --state NEW \\ + $iptables -A INPUT -m conntrack --ctstate NEW \\ -i $iface --protocol $proto --source "$source" \\ --destination "$ip" --destination-port "$port" \\ -j ACCEPT} diff --git a/uruk/script/uruk b/uruk/script/uruk index e811189..32d0043 100644 --- a/uruk/script/uruk +++ b/uruk/script/uruk @@ -130,8 +130,8 @@ then uruk6_log fi -$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -$ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +$iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +$ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # workaround bug(?) in linux kernel, see also # http://serverfault.com/questions/309691/why-is-our-firewall-ubuntu-8-04-rejecting-the-final-packet-fin-ack-psh-wit @@ -235,7 +235,7 @@ do done # Always allow outgoing connections - $iptables -A OUTPUT -m state --state NEW -o $iface -j ACCEPT + $iptables -A OUTPUT -m conntrack --ctstate NEW -o $iface -j ACCEPT done uruk_hook "$rc_c" @@ -292,7 +292,7 @@ do for source in $sources do # source is e.g. 10.56.0.10/32 - $iptables -A INPUT -m state --state NEW \ + $iptables -A INPUT -m conntrack --ctstate NEW \ -i $iface --protocol $proto \ --source "$source" --destination "$ip" \ --destination-port "$port" -j ACCEPT @@ -300,7 +300,7 @@ do fi for source6 in $sources6 do - $ip6tables -A INPUT -m state --state NEW \ + $ip6tables -A INPUT -m conntrack --ctstate NEW \ -i $iface --protocol $proto \ --source "$source6" --destination "$ip6" \ --destination-port "$port" -j ACCEPT -- 1.7.10.4
--- End Message ---
