1 |
Many years ago, I understood IPCHAINS, and the first versions of |
2 |
IPTABLES. However, IPTABLES has followed the example of Larry Wall's |
3 |
Practical Extraction and Reporting Language |
4 |
and turned into a pseudo-OS that I barely comprehend. Some rules |
5 |
that I added many years ago were designed to reject unsolicited |
6 |
connection attempts (after whitelisting my small LAN)... |
7 |
|
8 |
-A ICMP_IN -p icmp -m state -j UNSOLICITED |
9 |
-A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED |
10 |
-A UDP_IN -p udp -m state -j UNSOLICITED |
11 |
|
12 |
Now these all give me the error message... |
13 |
|
14 |
WARNING: The state match is obsolete. Use conntrack instead. |
15 |
iptables-restore v1.4.16.3: state: option "--state" must be specified |
16 |
|
17 |
"man iptables" suggested "man iptables-extensions". As near as I can |
18 |
tell, the "new and improved" way is... |
19 |
|
20 |
-A ICMP_IN -p icmp -m conntrack --ctstate INVALID -j UNSOLICITED |
21 |
-A TCP_IN -p tcp -m conntrack --ctstate INVALID -m tcp -j UNSOLICITED |
22 |
-A UDP_IN -p udp -m conntrack --ctstate INVALID -j UNSOLICITED |
23 |
|
24 |
This appears to work, i.e. it doesn't cause iptables to fail. Does |
25 |
this do what I think it does (reject unsolicited connections)? The |
26 |
reason that I'm asking is because I'm simply not sure. |
27 |
|
28 |
-- |
29 |
Walter Dnes <waltdnes@××××××××.org> |
30 |
I don't run "desktop environments"; I run useful applications |