From 85b52db62b148355861a835a1cee3670b5758186 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 27 Apr 2013 15:38:35 +0200 Subject: [PATCH] iptables: Replace state module by conntrack module. The state module is deprecated in recent releases of iptables. --- functions.firewall | 10 +++++----- functions.firewall-policy | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/functions.firewall b/functions.firewall index 610ed54c..3f0d5ff8 100644 --- a/functions.firewall +++ b/functions.firewall @@ -235,9 +235,9 @@ function firewall_connection_tracking() { log INFO "Creating Connection Tracking chain..." iptables_chain_create "${protocol}" CONNTRACK - iptables "${protocol}" -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT - iptables "${protocol}" -A CONNTRACK -m state --state INVALID -j "$(iptables_LOG "INVALID packet: ")" - iptables "${protocol}" -A CONNTRACK -m state --state INVALID -j DROP + iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j "$(iptables_LOG "INVALID packet: ")" + iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j DROP iptables "${protocol}" -A INPUT -j CONNTRACK iptables "${protocol}" -A OUTPUT -j CONNTRACK @@ -251,8 +251,8 @@ function firewall_localhost_create_chains() { log DEBUG "Creating firewall chains for localhost..." # Accept everything on lo - iptables "${protocol}" -A INPUT -i lo -m state --state NEW -j ACCEPT - iptables "${protocol}" -A OUTPUT -o lo -m state --state NEW -j ACCEPT + iptables "${protocol}" -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT + iptables "${protocol}" -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT } function firewall_zone_create_chains() { diff --git a/functions.firewall-policy b/functions.firewall-policy index 842fa9fb..e7b0cf1a 100644 --- a/functions.firewall-policy +++ b/functions.firewall-policy @@ -62,7 +62,7 @@ function policy_zone_allow_all() { local chain="ZONE_${zone^^}_${other_zone^^}_POLICY" # Just accept all new connections. - iptables -A "${chain}" -m state --state NEW -j ACCEPT + iptables -A "${chain}" -m conntrack --ctstate NEW -j ACCEPT } function policy_zone_deny_all() { -- 2.47.2