LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-26-2012, 05:29 PM   #1
sblantipodi
Member
 
Registered: May 2006
Distribution: Latest CentOS
Posts: 151

Rep: Reputation: 15
nf_conntrack: automatic helper assignment is deprecated and it will be removed soon.


Hi,
I'm getting this warning on my CentOS 6.3 box.
Quote:
nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
What does it want? What can I do for it?
Thanks.





This is my iptables

Code:
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*security
:INPUT ACCEPT [18038905:2743115423]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*raw
:PREROUTING ACCEPT [18196073:2750419524]
:OUTPUT ACCEPT [10822373:32961232354]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*nat
:PREROUTING ACCEPT [327277:18343365]
:INPUT ACCEPT [282086:16034919]
:OUTPUT ACCEPT [1010678:73542387]
:POSTROUTING ACCEPT [1009394:72831137]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*mangle
:PREROUTING ACCEPT [18196073:2750419524]
:INPUT ACCEPT [18196065:2750417334]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10822373:32961232354]
:POSTROUTING ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-DOVECOT - [0:0]
:fail2ban-SMTP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-php-url - [0:0]
:fail2ban-squirrelmail - [0:0]
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-php-url
-A INPUT -p tcp -m multiport --dports 143,993,110,995 -j fail2ban-DOVECOT
-A INPUT -p tcp -m multiport --dports 443,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-SMTP
-A INPUT -p tcp -m tcp --dport 6969 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-php-url
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A INPUT -m recent --remove --name portscan --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A fail2ban-DOVECOT -j RETURN
-A fail2ban-SMTP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-squirrelmail -j RETURN
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
 
Old 11-27-2012, 06:48 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by sblantipodi View Post
I'm getting this warning on my CentOS 6.3 box.
It's due to
Code:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
echo "options nf_conntrack nf_conntrack_helper=1" >> /etc/modprobe.d/local.conf
(no need to change: it's your default) and http://comments.gmane.org/gmane.linux.network/229974.


Quote:
Originally Posted by sblantipodi View Post
What does it want? What can I do for it?
See the link it mentions about using "-j CT" before doing "--helper ftp".
 
1 members found this post helpful.
Old 11-27-2012, 03:05 PM   #3
sblantipodi
Member
 
Registered: May 2006
Distribution: Latest CentOS
Posts: 151

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
It's due to
Code:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
echo "options nf_conntrack nf_conntrack_helper=1" >> /etc/modprobe.d/local.conf
(no need to change: it's your default) and http://comments.gmane.org/gmane.linux.network/229974.

See the link it mentions about using "-j CT" before doing "--helper ftp".
Many thanks for the reply, I appreciate it.
I'm sorry but where should I find the "--helper ftp" ???
I posted my iptables settings, I have no "--helper ftp" there...
 
Old 11-27-2012, 04:22 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by sblantipodi View Post
where should I find the "--helper ftp" ???
Try 'iptables -m helper --help' ?
 
Old 11-28-2012, 03:28 AM   #5
sblantipodi
Member
 
Registered: May 2006
Distribution: Latest CentOS
Posts: 151

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
Try 'iptables -m helper --help' ?
thanks again for the answer.
that command doesn't helped me, it returned the "usual" iptables help...
 
Old 11-29-2012, 04:03 AM   #6
sblantipodi
Member
 
Registered: May 2006
Distribution: Latest CentOS
Posts: 151

Original Poster
Rep: Reputation: 15
bump
 
Old 12-07-2012, 09:02 AM   #7
sblantipodi
Member
 
Registered: May 2006
Distribution: Latest CentOS
Posts: 151

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by sblantipodi View Post
bump
bump.
 
Old 12-07-2012, 01:23 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Did you read https://home.regit.org/netfilter-en/...se-of-helpers/ ?
 
Old 12-07-2012, 02:03 PM   #9
sblantipodi
Member
 
Registered: May 2006
Distribution: Latest CentOS
Posts: 151

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
thanks for the answer.
I have read it but it doesn't helped me.
How can I port my actual settings to the new way of use iptables?

As the guide says:
Since Linux 3.5, it is possible to desactivate the automatic conntrack helper assignment. This can be done when loading the nf_conntrack module
modprobe nf_conntrack nf_conntrack_helper=0
This can also be done after the module is loading by using a /proc entry
echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper

I don't need
ftp
irc
sane
sip
tftp
ports, but I need the SNMP one, if I disable automatica conntrack, what will happen to my actual services like SNMP and the others?
ports so I should not have problems
 
Old 12-09-2012, 07:59 AM   #10
sblantipodi
Member
 
Registered: May 2006
Distribution: Latest CentOS
Posts: 151

Original Poster
Rep: Reputation: 15
As saied in that guide I have done:
echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper

when I reboot I found a 1 in /proc/sys/net/netfilter/nf_conntrack_helper instead of a 0.
Who put the zero there?
 
Old 12-09-2012, 09:30 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
0. Run 'echo "options nf_conntrack nf_conntrack_helper=0" > /etc/modprobe.d/nf_conntrack.conf;'
1. Run 'grep ^IPTABLES_MODULES= /etc/sysconfig/iptables-config' and remove any modules that are loaded by default that you don't need like for example nf_conntrack_ftp or nf_nat_ftp.
That should be about it. A generic CT rule looks like "-A PREROUTING -p tcp --dport 21 -j CT --helper ftp", or so the doucmentation says, but going over your rules again I don't see specific helper usage anyway so just discard the nf_conntrack message as being of the informational level.
 
Old 12-09-2012, 10:39 AM   #12
sblantipodi
Member
 
Registered: May 2006
Distribution: Latest CentOS
Posts: 151

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
0. Run 'echo "options nf_conntrack nf_conntrack_helper=0" > /etc/modprobe.d/nf_conntrack.conf;'
1. Run 'grep ^IPTABLES_MODULES= /etc/sysconfig/iptables-config' and remove any modules that are loaded by default that you don't need like for example nf_conntrack_ftp or nf_nat_ftp.
That should be about it. A generic CT rule looks like "-A PREROUTING -p tcp --dport 21 -j CT --helper ftp", or so the doucmentation says, but going over your rules again I don't see specific helper usage anyway so just discard the nf_conntrack message as being of the informational level.
this commands:
grep ^IPTABLES_MODULES= /etc/sysconfig/iptables-config
returns this:
IPTABLES_MODULES=""

I have runned the command:
echo "options nf_conntrack nf_conntrack_helper=0" > /etc/modprobe.d/nf_conntrack.conf;

but the message still there.

any other idea?

thanks.
 
Old 12-09-2012, 01:40 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Should no longer be there on reboot AFAIK. Even if it is it's only informational.
 
Old 12-09-2012, 01:41 PM   #14
sblantipodi
Member
 
Registered: May 2006
Distribution: Latest CentOS
Posts: 151

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
Should no longer be there on reboot AFAIK. Even if it is it's only informational.
it should but it's still there
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Action "smoking" is deprecated and will be removed in a future version. headrift General 19 07-01-2012 07:00 PM
"Not a CODE" reference error perl v5.10.0, Deprecated assignment operation. skuletm Programming 3 03-12-2009 12:21 AM
Automatic removal of kernel headers package when kernel packages are removed bgoodr Debian 3 12-30-2008 08:14 PM
Increase nf_conntrack value c00kie Linux - Security 2 07-11-2007 03:54 AM
automatic Ip assignment rupeshdwivedi Linux - Networking 1 08-31-2005 04:20 PM


All times are GMT -5. The time now is 02:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration