Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ip_tables wants CT target instead of nf_conntrack
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3720
Location: Hamburg

PostPosted: Tue May 14, 2013 5:12 pm    Post subject: ip_tables wants CT target instead of nf_conntrack Reply with quote

kernel 3.10-rc1 gives
Code:
kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
which let me wonder what's wrong with these lines
Code:
        #       block brute force attacks against ssh acounts
        #
        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match conntrack --ctstate NEW         --match recent --name FAILED_SSH_LOGIN --set
        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match conntrack --ctstate ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset

        #       trust already established sessions
        #
        $IPT -t filter -A INPUT --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

        #       limit connection attempts from the same ip address to 10/min
        #
        $IPT -t filter -A INPUT --match conntrack --ctstate NEW --match recent --name MAX_CONN_PER_IP --set
        $IPT -t filter -A INPUT --match conntrack --ctstate NEW --match recent --name MAX_CONN_PER_IP --update --seconds 60 --hitcount 11 -j DROP
?
Back to top
View user's profile Send private message
lost+found
Guru
Guru


Joined: 15 Nov 2004
Posts: 508
Location: North~Sea~Coa~s~~t~~~

PostPosted: Wed May 15, 2013 8:54 am    Post subject: Reply with quote

Hi,

Here's some good reading, that helped me updating my iptables rules for FTP.
http://home.regit.org/netfilter-en/secure-use-of-helpers/

I think iptables wants you to add extra rules in the INPUT/OUTPUT+PREROUTING chain, defining a helper module. It seems to me though, that your rules do not need a (protocol specific) helper module. Do you happen to have FTP port rules too? I'm using the same elements of your rules, and those didn't need any extra prerouting or a helper, but I'm not using 3.10 yet.

Maybe lsmod gives a clue on what protocol helpers are currently used.


-- Cheers
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3720
Location: Hamburg

PostPosted: Wed May 15, 2013 1:47 pm    Post subject: Reply with quote

lost+found wrote:
but I'm not using 3.10 yet.
well, in the past there I was already forced to change certain ip tables commands, but 3.10 brings this new warning.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum