nf_conntrack: automatic helper assignment is deprecated and it will be removed soon.

sblantipodi · 11-26-2012, 05:29 PM

Hi,
I'm getting this warning on my CentOS 6.3 box.

Quote:

nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

What does it want? What can I do for it?
Thanks.

This is my iptables

Code:

# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*security
:INPUT ACCEPT [18038905:2743115423]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*raw
:PREROUTING ACCEPT [18196073:2750419524]
:OUTPUT ACCEPT [10822373:32961232354]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*nat
:PREROUTING ACCEPT [327277:18343365]
:INPUT ACCEPT [282086:16034919]
:OUTPUT ACCEPT [1010678:73542387]
:POSTROUTING ACCEPT [1009394:72831137]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*mangle
:PREROUTING ACCEPT [18196073:2750419524]
:INPUT ACCEPT [18196065:2750417334]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10822373:32961232354]
:POSTROUTING ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-DOVECOT - [0:0]
:fail2ban-SMTP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-php-url - [0:0]
:fail2ban-squirrelmail - [0:0]
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-php-url
-A INPUT -p tcp -m multiport --dports 143,993,110,995 -j fail2ban-DOVECOT
-A INPUT -p tcp -m multiport --dports 443,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-SMTP
-A INPUT -p tcp -m tcp --dport 6969 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-php-url
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A INPUT -m recent --remove --name portscan --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A fail2ban-DOVECOT -j RETURN
-A fail2ban-SMTP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-squirrelmail -j RETURN
COMMIT
# Completed on Sun Nov 13 14:53:41 2011

unSpawn · 11-27-2012, 06:48 AM

Quote:

Originally Posted by sblantipodi

I'm getting this warning on my CentOS 6.3 box.

It's due to

Code:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
echo "options nf_conntrack nf_conntrack_helper=1" >> /etc/modprobe.d/local.conf

(no need to change: it's your default) and http://comments.gmane.org/gmane.linux.network/229974.

Quote:

Originally Posted by sblantipodi

What does it want? What can I do for it?

See the link it mentions about using "-j CT" before doing "--helper ftp".

sblantipodi · 11-27-2012, 03:05 PM

Quote:

Originally Posted by unSpawn

It's due to

Code:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
echo "options nf_conntrack nf_conntrack_helper=1" >> /etc/modprobe.d/local.conf

(no need to change: it's your default) and http://comments.gmane.org/gmane.linux.network/229974.

See the link it mentions about using "-j CT" before doing "--helper ftp".

Many thanks for the reply, I appreciate it.
I'm sorry but where should I find the "--helper ftp" ???
I posted my iptables settings, I have no "--helper ftp" there...

unSpawn · 11-27-2012, 04:22 PM

Quote:

Originally Posted by sblantipodi

where should I find the "--helper ftp" ???

Try 'iptables -m helper --help' ?

sblantipodi · 11-28-2012, 03:28 AM

Quote:

Originally Posted by unSpawn

Try 'iptables -m helper --help' ?

thanks again for the answer.
that command doesn't helped me, it returned the "usual" iptables help...

sblantipodi · 11-29-2012, 04:03 AM

sblantipodi · 12-07-2012, 09:02 AM

Quote:

Originally Posted by sblantipodi

bump

bump.

unSpawn · 12-07-2012, 01:23 PM

Did you read https://home.regit.org/netfilter-en/...se-of-helpers/ ?

sblantipodi · 12-07-2012, 02:03 PM

Quote:

Originally Posted by unSpawn

Did you read https://home.regit.org/netfilter-en/...se-of-helpers/ ?

thanks for the answer.
I have read it but it doesn't helped me.
How can I port my actual settings to the new way of use iptables?

As the guide says:
Since Linux 3.5, it is possible to desactivate the automatic conntrack helper assignment. This can be done when loading the nf_conntrack module
modprobe nf_conntrack nf_conntrack_helper=0
This can also be done after the module is loading by using a /proc entry
echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper

I don't need
ftp
irc
sane
sip
tftp
ports, but I need the SNMP one, if I disable automatica conntrack, what will happen to my actual services like SNMP and the others?
ports so I should not have problems

sblantipodi · 12-09-2012, 07:59 AM

As saied in that guide I have done:
echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper

when I reboot I found a 1 in /proc/sys/net/netfilter/nf_conntrack_helper instead of a 0.
Who put the zero there?

unSpawn · 12-09-2012, 09:30 AM

0. Run 'echo "options nf_conntrack nf_conntrack_helper=0" > /etc/modprobe.d/nf_conntrack.conf;'
1. Run 'grep ^IPTABLES_MODULES= /etc/sysconfig/iptables-config' and remove any modules that are loaded by default that you don't need like for example nf_conntrack_ftp or nf_nat_ftp.
That should be about it. A generic CT rule looks like "-A PREROUTING -p tcp --dport 21 -j CT --helper ftp", or so the doucmentation says, but going over your rules again I don't see specific helper usage anyway so just discard the nf_conntrack message as being of the informational level.

sblantipodi · 12-09-2012, 10:39 AM

Quote:

Originally Posted by unSpawn

0. Run 'echo "options nf_conntrack nf_conntrack_helper=0" > /etc/modprobe.d/nf_conntrack.conf;'
1. Run 'grep ^IPTABLES_MODULES= /etc/sysconfig/iptables-config' and remove any modules that are loaded by default that you don't need like for example nf_conntrack_ftp or nf_nat_ftp.
That should be about it. A generic CT rule looks like "-A PREROUTING -p tcp --dport 21 -j CT --helper ftp", or so the doucmentation says, but going over your rules again I don't see specific helper usage anyway so just discard the nf_conntrack message as being of the informational level.

this commands:
grep ^IPTABLES_MODULES= /etc/sysconfig/iptables-config
returns this:
IPTABLES_MODULES=""

I have runned the command:
echo "options nf_conntrack nf_conntrack_helper=0" > /etc/modprobe.d/nf_conntrack.conf;

but the message still there.

any other idea?

thanks.

unSpawn · 12-09-2012, 01:40 PM

Should no longer be there on reboot AFAIK. Even if it is it's only informational.

sblantipodi · 12-09-2012, 01:41 PM

Quote:

Originally Posted by unSpawn

Should no longer be there on reboot AFAIK. Even if it is it's only informational.

it should but it's still there