The state module is deprecated in recent releases of iptables
and should not be used any more.
Additionally, this patch adds an extra chain for all
connection tracking rules, so we can keep the entire ruleset
more small and clean.
system ("/usr/sbin/firewall-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
&p2pblock;
system ("/usr/sbin/firewall-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
&p2pblock;
- system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
system ("/usr/sbin/firewall-policy");
system ("/etc/sysconfig/firewall.local reload");
}
system ("/usr/sbin/firewall-policy");
system ("/etc/sysconfig/firewall.local reload");
}
# SYN/FIN (QueSO or nmap OS probe)
/sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
# NEW TCP without SYN
# SYN/FIN (QueSO or nmap OS probe)
/sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
# NEW TCP without SYN
- /sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j NEWNOTSYN
+ /sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
+
+ # Connection tracking chain
+ /sbin/iptables -N CONNTRACK
+ /sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -j BADTCP
/sbin/iptables -A FORWARD -j BADTCP
/sbin/iptables -A INPUT -j BADTCP
/sbin/iptables -A FORWARD -j BADTCP
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
/sbin/iptables -A OUTPUT -j OVPNBLOCK
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
/sbin/iptables -A OUTPUT -j OVPNBLOCK
- /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
/sbin/iptables -N OUTGOINGFW
/sbin/iptables -A OUTPUT -j OUTGOINGFW
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
/sbin/iptables -N OUTGOINGFW
/sbin/iptables -A OUTPUT -j OUTGOINGFW
/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything connected
/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything connected
- /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-
+ for i in INPUT FORWARD OUTPUT; do
+ /sbin/iptables -A ${i} -j CONNTRACK
+ done
+
# Accept everything on lo
# Accept everything on lo
- iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
- iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
+ iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
+ iptables -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
/sbin/iptables -N IPSECINPUT
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
/sbin/iptables -N IPSECINPUT
# Input Firewall
/sbin/iptables -N INPUTFW
# Input Firewall
/sbin/iptables -N INPUTFW
- /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
+ /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j INPUTFW
# localhost and ethernet.
# localhost and ethernet.
- /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
- /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo
- /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP
- /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
- /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
- /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
- /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
+ /sbin/iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
+ /sbin/iptables -A INPUT -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP # Loopback not on lo
+ /sbin/iptables -A INPUT -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
+ /sbin/iptables -A FORWARD -i lo -m conntrack --ctstate NEW -j ACCEPT
+ /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
+ /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
+ /sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
# allow DHCP on BLUE to be turned on/off
/sbin/iptables -N DHCPBLUEINPUT
# allow DHCP on BLUE to be turned on/off
/sbin/iptables -N DHCPBLUEINPUT
# WIRELESS chains
/sbin/iptables -N WIRELESSINPUT
# WIRELESS chains
/sbin/iptables -N WIRELESSINPUT
- /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
+ /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
/sbin/iptables -N WIRELESSFORWARD
/sbin/iptables -N WIRELESSFORWARD
- /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
+ /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
# Forward Firewall
/sbin/iptables -N FORWARDFW
# Forward Firewall
/sbin/iptables -N FORWARDFW
/sbin/iptables -t nat -N UPNPFW
/sbin/iptables -t nat -A PREROUTING -j UPNPFW
/sbin/iptables -N UPNPFW
/sbin/iptables -t nat -N UPNPFW
/sbin/iptables -t nat -A PREROUTING -j UPNPFW
/sbin/iptables -N UPNPFW
- /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
+ /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
# Postrouting rules (for port forwarding)
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS
# Postrouting rules (for port forwarding)
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS