Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
iptables error: The state match is obsolete. Use conntrack i
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Skippy204
Guru
Guru


Joined: 09 May 2008
Posts: 337
Location: Colorado, USA

PostPosted: Sun Oct 21, 2012 10:56 pm    Post subject: iptables error: The state match is obsolete. Use conntrack i Reply with quote

After upgrading to iptables 1.4.16.2 I started getting this error.

Code:

 root # rc-config start iptables
Starting init script
 * Loading iptables state and starting firewall ...
WARNING: The state match is obsolete. Use conntrack instead.
iptables-restore v1.4.16.2: state: option "--state" must be specified

Error occurred at line: 24
Try `iptables-restore -h' or 'iptables-restore --help' for more informati [ !! ]
 * ERROR: iptables failed to start


I've done some googleing and all I've come up with is this - which seems to indicate this is a bug. But I hardly know enough about iptables to know if it's bug or my mistake.

https://bugs.launchpad.net/ufw/+bug/1065297

Can anyone help me out? Thanks.
Skippy
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sun Oct 21, 2012 11:09 pm    Post subject: Reply with quote

Instead of e.g.:
Code:
-m state --state RELATED

Use:
Code:
-m conntrack --ctstate RELATED
Back to top
View user's profile Send private message
Skippy204
Guru
Guru


Joined: 09 May 2008
Posts: 337
Location: Colorado, USA

PostPosted: Sat Oct 27, 2012 5:34 pm    Post subject: Reply with quote

Thanks - I'm still having trouble applying this. Please tell me what I'm doing wrong, 'cause I'm flying mostly blind here. :)

In /var/lib/iptables/rules.working I'm changing

Code:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


to

Code:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


and then

Code:

 root # rc-config start iptables
Starting init script
 * Caching service dependencies ...                                                                                        [ ok ]
 * Loading iptables state and starting firewall ...
WARNING: The state match is obsolete. Use conntrack instead.
iptables-restore v1.4.16.3: state: option "--state" must be specified

Error occurred at line: 24
Try `iptables-restore -h' or 'iptables-restore --help' for more information.                                               [ !! ]
 * ERROR: iptables failed to start


I'm still wrong about something . . .
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21431

PostPosted: Sat Oct 27, 2012 5:39 pm    Post subject: Reply with quote

Unless you have changed your /etc/conf.d/iptables file, that is the wrong filename to edit. The default here is /var/lib/iptables/rules-save.

Did you change all uses of state? Does your kernel have conntrack built? Please post the entire modified rules file.
Back to top
View user's profile Send private message
Skippy204
Guru
Guru


Joined: 09 May 2008
Posts: 337
Location: Colorado, USA

PostPosted: Sat Oct 27, 2012 5:50 pm    Post subject: Reply with quote

Hi, thanks for responding.

Code:

 root # cat /var/lib/iptables/rules-save
# Generated by iptables-save v1.4.16.2 on Thu Oct 11 17:39:04 2012
*nat
:PREROUTING ACCEPT [115774:17577973]
:INPUT ACCEPT [1:28]
:OUTPUT ACCEPT [1429994:98812650]
:POSTROUTING ACCEPT [1429994:98812650]
COMMIT
# Completed on Thu Oct 11 17:39:04 2012
# Generated by iptables-save v1.4.16.2 on Thu Oct 11 17:39:04 2012
*mangle
:PREROUTING ACCEPT [228134025:307554773508]
:INPUT ACCEPT [228133750:307554742848]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [135710476:20656815767]
:POSTROUTING ACCEPT [135931198:20687428864]
COMMIT
# Completed on Thu Oct 11 17:39:04 2012
# Generated by iptables-save v1.4.16.2 on Thu Oct 11 17:39:04 2012
*filter
:INPUT DROP [347589:48808777]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [135631043:20649408445]
[193304:10478848] -A INPUT -i lo -j ACCEPT
[227495532:307389083399] -A INPUT -m state -j ACCEPT
COMMIT
# Completed on Thu Oct 11 17:39:04 2012


Code:

 root # cat /var/lib/iptables/rules.working
# Generated by iptables-save v1.4.12.1 on Fri Oct 28 14:03:14 2011
*nat
:PREROUTING ACCEPT [2:604]
:INPUT ACCEPT [1:28]
:OUTPUT ACCEPT [4507:294969]
:POSTROUTING ACCEPT [4507:294969]
COMMIT
# Completed on Fri Oct 28 14:03:14 2011
# Generated by iptables-save v1.4.12.1 on Fri Oct 28 14:03:14 2011
*mangle
:PREROUTING ACCEPT [102988:113880041]
:INPUT ACCEPT [102987:113879465]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80124:7497553]
:POSTROUTING ACCEPT [80524:7553153]
COMMIT
# Completed on Fri Oct 28 14:03:14 2011
# Generated by iptables-save v1.4.12.1 on Fri Oct 28 14:03:14 2011
*filter
:INPUT DROP [3:747]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [691:90231]
[0:0] -A INPUT -i lo -j ACCEPT
[5659:7506894] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Oct 28 14:03:14 2011


I have not modified /etc/conf.d/iptables.

Regarding the kernel, if NETFILTER_XT_MATCH_CONNTRACK is the correct module to build, then yes.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21431

PostPosted: Sat Oct 27, 2012 8:41 pm    Post subject: Reply with quote

According to your output, you modified a file that is not used at all. You must modify the file which will be read by the init script. This file defaults to rules-save, which you have not modified.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3919
Location: Hamburg

PostPosted: Sat Oct 27, 2012 8:51 pm    Post subject: Reply with quote

PaulBredbury wrote:
Instead of e.g.:
Code:
-m state --state RELATED

Use:
Code:
-m conntrack --ctstate RELATED
Hhm, do I have to adapt that change to all of these lines
Code:
tfoerste@n22 ~ $ sudo grep state /etc/kmyfirewall/kmyfirewall.sh
        $MOD ipt_state
        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state NEW         --match recent --name FAILED_SSH_LOGIN --set
        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset
        $IPT -t filter -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT
        $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --set
        $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --update --seconds 60 --hitcount 11 -j DROP
        $IPT -t filter -A OUTPUT --match state --state RELATED,ESTABLISHED -j ACCEPT
if >=iptables-1.4.16.x becomes stable ?
Back to top
View user's profile Send private message
Skippy204
Guru
Guru


Joined: 09 May 2008
Posts: 337
Location: Colorado, USA

PostPosted: Sat Oct 27, 2012 9:08 pm    Post subject: Reply with quote

Well that works. However it works by totally cutting off all my internet connection.

Definitely secure. :) No so useful.

Code:
 root # cat rules-save
# Generated by iptables-save v1.4.16.3 on Sat Oct 27 15:05:40 2012
*nat
:PREROUTING ACCEPT [115774:17577973]
:INPUT ACCEPT [1:28]
:OUTPUT ACCEPT [1430136:98822605]
:POSTROUTING ACCEPT [1430136:98822605]
COMMIT
# Completed on Sat Oct 27 15:05:40 2012
# Generated by iptables-save v1.4.16.3 on Sat Oct 27 15:05:40 2012
*mangle
:PREROUTING ACCEPT [228134830:307554866638]
:INPUT ACCEPT [228134555:307554835978]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [135710876:20656863052]
:POSTROUTING ACCEPT [135931612:20687478095]
COMMIT
# Completed on Sat Oct 27 15:05:40 2012
# Generated by iptables-save v1.4.16.3 on Sat Oct 27 15:05:40 2012
*filter
:INPUT DROP [348394:48901907]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [135631443:20649455730]
[193304:10478848] -A INPUT -i lo -j ACCEPT
[227495532:307389083399] -A INPUT -m conntrack --ctstate RELATED -j ACCEPT
COMMIT
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Sat Oct 27, 2012 9:36 pm    Post subject: Reply with quote

Well since you changed it to not allow traffic from established connections, I'm not sure what else you expected to happen...
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sun Oct 28, 2012 1:03 am    Post subject: Reply with quote

Skippy204 wrote:
-A INPUT -m conntrack --ctstate RELATED -j ACCEPT

Your previous rule was:
Code:
-A INPUT -m state -j ACCEPT

Since it's not actually checking a state, that "-m state" was useless. And the change you've made is totally wrong.

Change it to:
Code:
-A INPUT -j ACCEPT
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21431

PostPosted: Sun Oct 28, 2012 4:39 pm    Post subject: Reply with quote

toralf wrote:
Code:
tfoerste@n22 ~ $ sudo grep state /etc/kmyfirewall/kmyfirewall.sh
        $MOD ipt_state
        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state NEW         --match recent --name FAILED_SSH_LOGIN --set
        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset
        $IPT -t filter -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT
        $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --set
        $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --update --seconds 60 --hitcount 11 -j DROP
        $IPT -t filter -A OUTPUT --match state --state RELATED,ESTABLISHED -j ACCEPT
if >=iptables-1.4.16.x becomes stable ?
Yes, but if that script is generated by some other tool, updating the tool should handle that for you.

OP: PaulBredbury is correct. He also brings up an interesting problem. You have been using a completely open (non-filtering) configuration for some time, since your rules-save specified an open configuration. The rules.working file, which was not used and therefore not working, specified a filtering configuration. The change he suggests is correct to maintain your current behavior of accepting all traffic.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3919
Location: Hamburg

PostPosted: Sun Oct 28, 2012 4:43 pm    Post subject: Reply with quote

Hu wrote:
Yes, but if that script is generated by some other tool, updating the tool should handle that for you.
Sure - but I used KMyFirewall eons before just for the initial generation and after that I'm using vim to update it :-)
Back to top
View user's profile Send private message
Skippy204
Guru
Guru


Joined: 09 May 2008
Posts: 337
Location: Colorado, USA

PostPosted: Sat Nov 10, 2012 5:12 pm    Post subject: Reply with quote

Howdy, the post from PaulBredbury solved it. Iptablels now starts up.

Regarding the fact that I have no actual filtering rules - thank you for pointing that out. My iptalbes knowledge seriously lacks. Can anyone suggest a good GUI that will help me configure this or a manual that is written for idiots?

Thanks very much for the help.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Nov 10, 2012 7:45 pm    Post subject: Reply with quote

The Arch wiki seems like a good intro.
Back to top
View user's profile Send private message
Element Dave
Tux's lil' helper
Tux's lil' helper


Joined: 10 Nov 2006
Posts: 82

PostPosted: Sat Nov 10, 2012 8:05 pm    Post subject: Reply with quote

Skippy204 wrote:
Howdy, the post from PaulBredbury solved it. Iptablels now starts up.

Regarding the fact that I have no actual filtering rules - thank you for pointing that out. My iptalbes knowledge seriously lacks. Can anyone suggest a good GUI that will help me configure this or a manual that is written for idiots?

Thanks very much for the help.


The Arch Linux wiki has a page that you might find helpful. From what it looks like you're trying to accomplish, you can probably skip everything after section 2.4 ("The INPUT Chain").

https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Sat Nov 10, 2012 9:01 pm    Post subject: Reply with quote

Skippy204 wrote:
Can anyone suggest a good GUI that will help me configure this or a manual that is written for idiots?

Skippy204 ... there is a direct corrolation between tools that shield the user from understanding the internals of a given system, and users not understanding the internals of a given system. Skill and familiarity are aquired by "use", and there is no shortcut that doesn't infact circumvent "use", and so the development of skill.

By far the best tutorial on iptables is Oskar Andreasson's. It doesn't make the assumption of prior knowledege (and so is accessable) but is detailed and broad in scope. That said, the subject is not one that can be grasped in a new-york minute, but as the saying goes, its better to be at the bottom of a ladder you want to climb than half way up one you don't.

best ... khay
Back to top
View user's profile Send private message
Skippy204
Guru
Guru


Joined: 09 May 2008
Posts: 337
Location: Colorado, USA

PostPosted: Thu Nov 15, 2012 3:38 pm    Post subject: Reply with quote

Thank you all for your suggestions.

I will check them out.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3919
Location: Hamburg

PostPosted: Thu Nov 22, 2012 6:15 pm    Post subject: Reply with quote

Hhm, the proposed change doesn't work here :
Code:
n22 /etc/kmyfirewall # diff kmyfirewall.sh kmyfirewall.sh_old
42,43c42,43                                                                                                                                                           
<       $IPT -t filter -A INPUT -p tcp --destination-port 22 --match conntrack --ctstate NEW         --match recent --name FAILED_SSH_LOGIN --set                     
<       $IPT -t filter -A INPUT -p tcp --destination-port 22 --match conntrack --ctstate ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset                                                                                                                           
---                                                                                                                                                                   
>       $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state NEW         --match recent --name FAILED_SSH_LOGIN --set                           
>       $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset                                                                                                                                 
47c47                                                                                                                                                                 
<       $IPT -t filter -A INPUT --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT                                                                             
---                                                                                                                                                                   
>       $IPT -t filter -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT                                                                                   
51,52c51,52                                                                                                                                                           
<       $IPT -t filter -A INPUT --match conntrack --ctstate NEW --match recent --name MAX_CONN_PER_IP --set                                                           
<       $IPT -t filter -A INPUT --match conntrack --ctstate NEW --match recent --name MAX_CONN_PER_IP --update --seconds 60 --hitcount 11 -j DROP                     
---                                                                                                                                                                   
>       $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --set                                                                 
>       $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --update --seconds 60 --hitcount 11 -j DROP                           
138c138
<       $IPT -t filter -A OUTPUT --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
---
>       $IPT -t filter -A OUTPUT --match state --state RELATED,ESTABLISHED -j ACCEPT
The old works :
Code:

n22 /etc/kmyfirewall # ./kmyfirewall.sh_old restart
but the new not
Code:

n22 /etc/kmyfirewall # ./kmyfirewall.sh restart
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21431

PostPosted: Fri Nov 23, 2012 12:13 am    Post subject: Reply with quote

Do you have the appropriate Netfilter features configured in your kernel? It is possible to build a kernel with state and without conntrack.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3919
Location: Hamburg

PostPosted: Fri Nov 23, 2012 8:47 am    Post subject: Reply with quote

Hu wrote:
Do you have the appropriate Netfilter features configured in your kernel? It is possible to build a kernel with state and without conntrack.
ah maybe, here I do have a /proc/config.gz : http://bpaste.net/show/59865/ /me now wonders which have to be added too .
Back to top
View user's profile Send private message
aCOSwt
Bodhisattva
Bodhisattva


Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space

PostPosted: Fri Nov 23, 2012 9:18 am    Post subject: Reply with quote

@toralf : What about this one :
toralf's config wrote:
# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set

I'd definitely set it.
_________________
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3919
Location: Hamburg

PostPosted: Fri Nov 23, 2012 9:49 am    Post subject: Reply with quote

aCOSwt wrote:
@toralf : What about this one :
toralf's config wrote:
# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set

I'd definitely set it.
ofc - thx
So CONFIG_NETFILTER_XT_MATCH_STATE is gone in favor of CONFIG_NETFILTER_XT_MATCH_CONNTRACK.
Back to top
View user's profile Send private message
Yminus
Apprentice
Apprentice


Joined: 06 Jan 2008
Posts: 184

PostPosted: Mon Dec 10, 2012 10:23 am    Post subject: Reply with quote

I have never touched any iptables configuration assuming it comes with reasonable defaults. And iptables has been installed as dependency of those:

Code:
 * These packages depend on iptables:
app-emulation/libvirt-0.10.2-r3 (virt-network ? >=net-firewall/iptables-1.4.10)
net-misc/connman-1.0-r1 (>=net-firewall/iptables-1.4.8)
sys-apps/iproute2-3.3.0 (iptables ? >=net-firewall/iptables-1.4.5)


But now I learn that an upgrade broke this configuration. Shouldn't the upgrade ensure that the configuration is sane if I never touched it myself?
Back to top
View user's profile Send private message
aCOSwt
Bodhisattva
Bodhisattva


Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space

PostPosted: Mon Dec 10, 2012 10:57 am    Post subject: Reply with quote

Yminus wrote:
I have never touched any iptables configuration assuming it comes with reasonable defaults... And iptables has been installed as dependency

So this means that you did not write any rules / did not add the program to rc... correct ?
So iptables are neither configured nor running on your system.
For running as a firewall for example I mean.

So the upgrade did not actually break anything in your system.

BTW, just fearing something. I might completely misunderstand what you mean but... do you mean you believed your system protected because supposed to be running some automagic-default-safe firewall ? 8O
_________________
Back to top
View user's profile Send private message
Yminus
Apprentice
Apprentice


Joined: 06 Jan 2008
Posts: 184

PostPosted: Mon Dec 10, 2012 11:40 am    Post subject: Reply with quote

aCOSwt wrote:
So this means that you did not write any rules / did not add the program to rc... correct ?

I did not write any rules. I think that libvirt is shipped with some rules needed for virtual networking. iptables is in runlevel default, but I can't remember adding it (I use this system for more than 4 years now)

aCOSwt wrote:
So iptables are neither configured nor running on your system.
Well,
For running as a firewall for example I mean.

I never set it up to be running as a firewall. I think libvirt needs it for bridging.

aCOSwt wrote:
So the upgrade did not actually break anything in your system.

iptbales fails to start. Maybe I just remove it from all runlevels and see if this breaks something.

aCOSwt wrote:
BTW, just fearing something. I might completely misunderstand what you mean but... do you mean you believed your system protected because supposed to be running some automagic-default-safe firewall ? 8O

I always thought a Linux system does not need a firewall if there are no services listening for external connections? My apache only accepts connections from localhost (I need it for personal dokuwiki), my sshd is only accepting certain ssh-keys and no passwords,... . Do I need a firewall on a Linux laptop?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum