| 1 |
Many years ago, I understood IPCHAINS, and the first versions of |
| 2 |
IPTABLES. However, IPTABLES has followed the example of Larry Wall's |
| 3 |
Practical Extraction and Reporting Language |
| 4 |
and turned into a pseudo-OS that I barely comprehend. Some rules |
| 5 |
that I added many years ago were designed to reject unsolicited |
| 6 |
connection attempts (after whitelisting my small LAN)... |
| 7 |
|
| 8 |
-A ICMP_IN -p icmp -m state -j UNSOLICITED |
| 9 |
-A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED |
| 10 |
-A UDP_IN -p udp -m state -j UNSOLICITED |
| 11 |
|
| 12 |
Now these all give me the error message... |
| 13 |
|
| 14 |
WARNING: The state match is obsolete. Use conntrack instead. |
| 15 |
iptables-restore v1.4.16.3: state: option "--state" must be specified |
| 16 |
|
| 17 |
"man iptables" suggested "man iptables-extensions". As near as I can |
| 18 |
tell, the "new and improved" way is... |
| 19 |
|
| 20 |
-A ICMP_IN -p icmp -m conntrack --ctstate INVALID -j UNSOLICITED |
| 21 |
-A TCP_IN -p tcp -m conntrack --ctstate INVALID -m tcp -j UNSOLICITED |
| 22 |
-A UDP_IN -p udp -m conntrack --ctstate INVALID -j UNSOLICITED |
| 23 |
|
| 24 |
This appears to work, i.e. it doesn't cause iptables to fail. Does |
| 25 |
this do what I think it does (reject unsolicited connections)? The |
| 26 |
reason that I'm asking is because I'm simply not sure. |
| 27 |
|
| 28 |
-- |
| 29 |
Walter Dnes <waltdnes@××××××××.org> |
| 30 |
I don't run "desktop environments"; I run useful applications |
Archives