Linode Forum :: nf_conntrack: automatic helper assignment is deprecated and

Linode Forum https://forum.linode.com/

nf_conntrack: automatic helper assignment is deprecated and https://forum.linode.com/viewtopic.php?f=19&t=9564	Page 1 of 1

Author:	sblantipodi [ Fri Nov 23, 2012 3:05 pm ]
Post subject:	nf_conntrack: automatic helper assignment is deprecated and
Hi, I'm getting this warning on my CentOS 6.3 box. Quote: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead. What does it want? What can I do for it? Thanks.

Author:

sblantipodi [ Fri Nov 23, 2012 6:07 pm ]

Post subject:

Re: nf_conntrack: automatic helper assignment is deprecated

this is my iptables

Code:

# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*security
:INPUT ACCEPT [18038905:2743115423]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*raw
:PREROUTING ACCEPT [18196073:2750419524]
:OUTPUT ACCEPT [10822373:32961232354]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*nat
:PREROUTING ACCEPT [327277:18343365]
:INPUT ACCEPT [282086:16034919]
:OUTPUT ACCEPT [1010678:73542387]
:POSTROUTING ACCEPT [1009394:72831137]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*mangle
:PREROUTING ACCEPT [18196073:2750419524]
:INPUT ACCEPT [18196065:2750417334]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10822373:32961232354]
:POSTROUTING ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-DOVECOT - [0:0]
:fail2ban-SMTP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-php-url - [0:0]
:fail2ban-squirrelmail - [0:0]
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-php-url
-A INPUT -p tcp -m multiport --dports 143,993,110,995 -j fail2ban-DOVECOT
-A INPUT -p tcp -m multiport --dports 443,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-SMTP
-A INPUT -p tcp -m tcp --dport 6969 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-php-url
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A INPUT -m recent --remove --name portscan --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A fail2ban-DOVECOT -j RETURN
-A fail2ban-SMTP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-squirrelmail -j RETURN
COMMIT
# Completed on Sun Nov 13 14:53:41 2011

Author:	sblantipodi [ Mon Nov 26, 2012 5:23 pm ]
Post subject:	Re: nf_conntrack: automatic helper assignment is deprecated
110 views without a single reply... interesting

Author:	Guspaz [ Mon Nov 26, 2012 6:27 pm ]
Post subject:	Re: nf_conntrack: automatic helper assignment is deprecated
Well, if you must know: 1) I don't use CentOS 2) I don't directly use IPTABLES 3) I don't use fail2ban 4) I don't know anything about helper assignments I assume most people reading this thread match one or more of those.

Author:	pclissold [ Mon Nov 26, 2012 7:20 pm ]
Post subject:	Re: nf_conntrack: automatic helper assignment is deprecated
Guspaz wrote: 2) I don't directly use IPTABLES +1

Author:	sblantipodi [ Tue Nov 27, 2012 5:48 am ]
Post subject:	Re: nf_conntrack: automatic helper assignment is deprecated
I'm not interested in people who can't help, I'm interested in people that have something interesting to say

Author:	glg [ Tue Nov 27, 2012 9:19 pm ]
Post subject:	Re: nf_conntrack: automatic helper assignment is deprecated
sblantipodi wrote: I'm not interested in people who can't help, I'm interested in people that have something interesting to say Then don't whine about not getting replies.

Author:	pclissold [ Tue Nov 27, 2012 9:32 pm ]
Post subject:	Re: nf_conntrack: automatic helper assignment is deprecated
glg wrote: Then don't whine about not getting replies. +1

Author:	sblantipodi [ Sun Dec 09, 2012 9:58 am ]
Post subject:	Re: nf_conntrack: automatic helper assignment is deprecated
I have done: echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper when I reboot I found a 1 in /proc/sys/net/netfilter/nf_conntrack_helper instead of a 0. Who put the zero there?

Author:	hoopycat [ Sun Dec 09, 2012 12:04 pm ]
Post subject:	Re: nf_conntrack: automatic helper assignment is deprecated
That is a bit of a philosophical question. However, it is a boolean value and something has to go there on boot, and the kernel has no way to remember what its state was when (and if) it was last booted. So, it picked 1. Look into /etc/sysctl.conf

Author:	cederberg [ Mon Jan 07, 2013 5:34 am ]
Post subject:	Re: nf_conntrack: automatic helper assignment is deprecated
You'll get rid of the warning by removing "RELATED" from this line: Code: -A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT Kernel patch detailed here: http://comments.gmane.org/gmane.linux.network/229974 Feature change explained at: https://home.regit.org/netfilter-en/sec ... f-helpers/

Author:

cederberg [ Mon Jan 07, 2013 7:05 am ]

Post subject:

Re: nf_conntrack: automatic helper assignment is deprecated

Sorry. A bit more reading (and testing) shows that one more thing must be done:

Code:

echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper

To make the above change persistent across reboots, edit /etc/sysctl.conf or create
/etc/sysctl.d/99-localfix.conf (for Ubuntu/Debian):

Code:

# Disable iptables deprecated helpers
# https://home.regit.org/netfilter-en/secure-use-of-helpers/
net.netfilter.nf_conntrack_helper=0

This will shut down the iptables connection tracking helpers totally. This disables support for a bunch of protocols (most of which you probably don't use anyway):
ftp, irc, sane, sip, tftp, amanda, h323, netbios_ns, pptp & snmp

Read the blog post linked above for details.

Author:	sblantipodi [ Mon Jan 07, 2013 9:22 am ]
Post subject:	Re: nf_conntrack: automatic helper assignment is deprecated
cederberg wrote: Sorry. A bit more reading (and testing) shows that one more thing must be done: Code: echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper To make the above change persistent across reboots, edit /etc/sysctl.conf or create /etc/sysctl.d/99-localfix.conf (for Ubuntu/Debian): Code: # Disable iptables deprecated helpers # https://home.regit.org/netfilter-en/secure-use-of-helpers/ net.netfilter.nf_conntrack_helper=0 This will shut down the iptables connection tracking helpers totally. This disables support for a bunch of protocols (most of which you probably don't use anyway): ftp, irc, sane, sip, tftp, amanda, h323, netbios_ns, pptp & snmp Read the blog post linked above for details. thanks for the answer, I choosed to use the default centos kernel with pv-grub to get rid of many of this kind of errors. now it works like a charm without warnings popping up randomically.

Author:	cederberg [ Mon Jan 07, 2013 4:16 pm ]
Post subject:	Re: nf_conntrack: automatic helper assignment is deprecated
Ok. But unless CentOS patches their kernels in this regard, it will eventually get there as well. This is a mainline kernel change, so it should reach everywhere eventually. Some distros might have better defaults, but Ubuntu 12.04 didn't at least.

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/