I've just upgraded some of my systems to debian 'stretch' (kernel 4.9.144-3.1 and iptables 1.6.0+snapshot20161117-6) and got on logs: May 7 18:32:48 fouc kernel: [ 19.097030] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. and googling around lead to feel that i'm a bit 'left behind' in my scripts. ;( I need to clarify some point... please help me. a) seems that '-m state --state X' is deprecated, better use '-m conntrack --ctstate X' b) AFAI've understood, expecially reading: https://home.regit.org/netfilter-en/secure-use-of-helpers/ now the conntrack helpers does not load a predefined set of (implicit) rules (eg, all traffic to/from TCP/UDP port 5060,5061 is SIP), but you have to explicitly setup some rule. Good. But the provided example: iptables -A FORWARD -m conntrack --ctstate RELATED -m helper \ --helper sip -d $ISP_RTP_SERVER -p udp -j ACCEPT it is a bit unclear to me... this example seems to me like: «match packet related to some existing traffic, of type SIP». But, if is a 'related' packet, the conntracking just know that is a SIP packet! Why add a strict check? Because the new conntrack really need that? Or for a better security (eg, to prevent match packet that are related but NOT SIP)? c) How all that work with marking (mangle table)? Now i do: iptables -t mangle -A mrk-post-fwd -m helper --helper sip \ -j MARK --set-mark 0x1/0xf i need also here to do insted '-m conntrack --ctstate RELATED -m helper --helper sip'? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
