log INFO "Creating Connection Tracking chain..."
iptables_chain_create "${protocol}" CONNTRACK
- iptables "${protocol}" -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables "${protocol}" -A CONNTRACK -m state --state INVALID -j "$(iptables_LOG "INVALID packet: ")"
- iptables "${protocol}" -A CONNTRACK -m state --state INVALID -j DROP
+ iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j "$(iptables_LOG "INVALID packet: ")"
+ iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
iptables "${protocol}" -A INPUT -j CONNTRACK
iptables "${protocol}" -A OUTPUT -j CONNTRACK
log DEBUG "Creating firewall chains for localhost..."
# Accept everything on lo
- iptables "${protocol}" -A INPUT -i lo -m state --state NEW -j ACCEPT
- iptables "${protocol}" -A OUTPUT -o lo -m state --state NEW -j ACCEPT
+ iptables "${protocol}" -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
+ iptables "${protocol}" -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT
}
function firewall_zone_create_chains() {
local chain="ZONE_${zone^^}_${other_zone^^}_POLICY"
# Just accept all new connections.
- iptables -A "${chain}" -m state --state NEW -j ACCEPT
+ iptables -A "${chain}" -m conntrack --ctstate NEW -j ACCEPT
}
function policy_zone_deny_all() {
projects / people / stevee / network.git / commitdiff
