Hi,
I'm getting this warning on my CentOS 6.3 box.


What does it want? What can I do for it?
Thanks.

this is my iptables

# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*security
:INPUT ACCEPT [18038905:2743115423]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*raw
:PREROUTING ACCEPT [18196073:2750419524]
:OUTPUT ACCEPT [10822373:32961232354]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*nat
:PREROUTING ACCEPT [327277:18343365]
:INPUT ACCEPT [282086:16034919]
:OUTPUT ACCEPT [1010678:73542387]
:POSTROUTING ACCEPT [1009394:72831137]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*mangle
:PREROUTING ACCEPT [18196073:2750419524]
:INPUT ACCEPT [18196065:2750417334]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10822373:32961232354]
:POSTROUTING ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-DOVECOT - [0:0]
:fail2ban-SMTP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-php-url - [0:0]
:fail2ban-squirrelmail - [0:0]
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-php-url
-A INPUT -p tcp -m multiport --dports 143,993,110,995 -j fail2ban-DOVECOT
-A INPUT -p tcp -m multiport --dports 443,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-SMTP
-A INPUT -p tcp -m tcp --dport 6969 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-php-url
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A INPUT -m recent --remove --name portscan --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A fail2ban-DOVECOT -j RETURN
-A fail2ban-SMTP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-squirrelmail -j RETURN
COMMIT
# Completed on Sun Nov 13 14:53:41 2011

110 views without a single reply... interesting

Well, if you must know:

1) I don't use CentOS
2) I don't directly use IPTABLES
3) I don't use fail2ban
4) I don't know anything about helper assignments

I assume most people reading this thread match one or more of those.

+1

_________________
/ Peter

I'm not interested in people who can't help, I'm interested in people that
have something interesting to say

Then don't whine about not getting replies.

+1

_________________
/ Peter

I have done:
echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper

when I reboot I found a 1 in /proc/sys/net/netfilter/nf_conntrack_helper instead of a 0.
Who put the zero there?

That is a bit of a philosophical question. However, it is a boolean value and something has to go there on boot, and the kernel has no way to remember what its state was when (and if) it was last booted. So, it picked 1.

Look into /etc/sysctl.conf

_________________

/* TODO: need to add signature to posts */

You'll get rid of the warning by removing "RELATED" from this line:

-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT

Kernel patch detailed here:
http://comments.gmane.org/gmane.linux.network/229974

Feature change explained at:
https://home.regit.org/netfilter-en/sec ... f-helpers/

Sorry. A bit more reading (and testing) shows that one more thing must be done:

echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper

To make the above change persistent across reboots, edit /etc/sysctl.conf or create
/etc/sysctl.d/99-localfix.conf (for Ubuntu/Debian):

# Disable iptables deprecated helpers
# https://home.regit.org/netfilter-en/secure-use-of-helpers/
net.netfilter.nf_conntrack_helper=0

This will shut down the iptables connection tracking helpers totally. This disables support for a bunch of protocols (most of which you probably don't use anyway):
ftp, irc, sane, sip, tftp, amanda, h323, netbios_ns, pptp & snmp

Read the blog post linked above for details.

thanks for the answer, I choosed to use the default centos kernel with pv-grub to get rid of many of this kind
of errors. now it works like a charm without warnings popping up randomically.

Ok. But unless CentOS patches their kernels in this regard, it will eventually get there as well.

This is a mainline kernel change, so it should reach everywhere eventually. Some distros might have better defaults, but Ubuntu 12.04 didn't at least.