Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
iptables error: The state match is obsolete. Use conntrack i
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21481

PostPosted: Tue Dec 11, 2012 2:48 am    Post subject: Reply with quote

If you connect to an untrusted network, I recommend running a packet filter. You may not need one, but security is about defense in depth. If the attacker cannot contact your system, then there is no possibility that a bug or mistaken configuration in some server could allow the attacker to advance, because he will never talk to it.
Back to top
View user's profile Send private message
libertytrek
Apprentice
Apprentice


Joined: 18 Jul 2007
Posts: 258

PostPosted: Sat Dec 15, 2012 2:46 pm    Post subject: Reply with quote

Hu wrote:
Unless you have changed your /etc/conf.d/iptables file, that is the wrong filename to edit. The default here is /var/lib/iptables/rules-save.

Ok, I encountered this, and am having a weird problem...

/etc/conf.d/iptables definitely is configured to save rules-save to /var/lib/iptables, and the date/time of the file changed when I ran iptables-save after making changes to the running config, but it still contained references to --state (content didn't appear to update).

So, I mv'd the old file and reran iptables-save - no file was created. Touched rules-save, reran iptables-save, file was not updated.

The problem I'm having right now is when I try to restart iptables, it gives me:

Well, now I'm really confused... apparently after mving the old file, it now restarts without an error *and* contains the correct modifications...

So, how can I find out where iptables is *really* storing rules-save?

Oh - this is on a Linode hosted VM slice...
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21481

PostPosted: Sat Dec 15, 2012 5:45 pm    Post subject: Reply with quote

Do you mean the command iptables, the command iptables-save, or the Gentoo initscript iptables? The first produces output unsuitable for use here. The second writes to stdout, so is not saved unless its caller redirects stdout. The third writes to the location specified in /etc/conf.d/iptables.
Back to top
View user's profile Send private message
libertytrek
Apprentice
Apprentice


Joined: 18 Jul 2007
Posts: 258

PostPosted: Sat Dec 15, 2012 9:30 pm    Post subject: Reply with quote

Hu wrote:
Do you mean the command iptables, the command iptables-save, or the Gentoo initscript iptables? The first produces output unsuitable for use here. The second writes to stdout, so is not saved unless its caller redirects stdout. The third writes to the location specified in /etc/conf.d/iptables.

Ok, I was talking about the command iptables-save. I thought that would save the rules to the rules-current file specified in /etc/conf.d/iptables.

I'm confused as to what good sending output of iptables-save to stdout accomplishes? If it is just doing that then it isn't 'saving' it at all, it is just outputting it to the screen (unless of course it is redirected).

Anyway, you're right, restarting iptables again using the gentoo init script updated the file as it should.

Thanks!
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21481

PostPosted: Sat Dec 15, 2012 9:59 pm    Post subject: Reply with quote

It saves an atomic snapshot of the rules to stdout, which you can then post-process in any way you want, whether that is adding/deleting/modifying rules, compressing the rule list, writing it to a file, or streaming it over a network connection.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum