Replace deprecated state match with conntrack

rules-ipv4.iptables

@@ -1,5 +1,5 @@
 ###############################################################################
-# Copyright 2012 Jakub Jirutka. All rights reserved.
+# Copyright 2012-2014 Jakub Jirutka. All rights reserved.
 #
 # "THE KOFOLA-WARE LICENSE" (Revision 1):
 # Jakub Jirutka originally wrote this file. As long as you retain this notice you
@@ -25,8 +25,8 @@
 # This template is based on http://jdem.cz/v64a3 from University of Leicester
 #
 # @author Jakub Jirutka <jakub@jirutka.cz>
-# @version 1.1
-# @date 2012-10-05
+# @version 1.2
+# @date 2014-01-01
 #
 
 ###############################################################################
@@ -47,10 +47,10 @@
 
 # Continue connections that are already established or related to an established 
 # connection
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 # Drop non-conforming packets, such as malformed headers, etc.
--A INPUT -m state --state INVALID -j DROP
+-A INPUT -m conntrack --ctstate INVALID -j DROP
 
 # Block remote packets claiming to be from a loopback address
 -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
@@ -89,8 +89,8 @@
 ###############################################################################
 
 # Accept worldwide access to HTTP and HTTPS
-# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT
-# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT
+# -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
+# -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
 
 
 ###############################################################################
@@ -101,16 +101,16 @@
 
 # Accept worldwide access to SSH and use SSHBRUTE chain for preventing 
 # brute-force attacks.
--A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE
+-A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
 
 # Permit useful IMCP packet types
 # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
 # Blocking these can make diagnosing of even simple faults much more tricky.
 # Real security lies in locking down and hardening all services, not by hiding.
--A INPUT -p icmp -m icmp --icmp-type 0  -m state --state NEW -j ACCEPT
--A INPUT -p icmp -m icmp --icmp-type 3  -m state --state NEW -j ACCEPT
--A INPUT -p icmp -m icmp --icmp-type 8  -m state --state NEW -j ICMPFLOOD
--A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type 0  -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type 3  -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type 8  -m conntrack --ctstate NEW -j ICMPFLOOD
+-A INPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
 
 # Do not log packets that are going to ports used by SMB 
 # (Samba / Windows Sharing)
@@ -126,7 +126,7 @@
 -A INPUT -p udp -m udp --sport 53 -j DROP
 
 # Good practise is to explicately reject AUTH traffic so that it fails fast
--A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
+-A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
 
 # Prevent DOS by filling log files
 -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "

rules-ipv6.ip6tables

@@ -1,5 +1,5 @@
 ###############################################################################
-# Copyright 2012 Jakub Jirutka. All rights reserved.
+# Copyright 2012-2014 Jakub Jirutka. All rights reserved.
 #
 # "THE KOFOLA-WARE LICENSE" (Revision 1):
 # Jakub Jirutka originally wrote this file. As long as you retain this notice you
@@ -25,8 +25,8 @@
 # This template is based on http://jdem.cz/v64a3 from University of Leicester
 #
 # @author Jakub Jirutka <jakub@jirutka.cz>
-# @version 1.1
-# @date 2012-10-05
+# @version 1.2
+# @date 2014-01-01
 #
 
 ###############################################################################
@@ -47,10 +47,10 @@
 
 # Continue connections that are already established or related to an established 
 # connection
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 # Drop non-conforming packets, such as malformed headers, etc.
--A INPUT -m state --state INVALID -j DROP
+-A INPUT -m conntrack --ctstate INVALID -j DROP
 
 # Block remote packets claiming to be from a loopback address
 -A INPUT -s ::1/128 ! -i lo -j DROP
@@ -82,8 +82,8 @@
 ###############################################################################
 
 # Accept worldwide access to HTTP and HTTPS
-# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT
-# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT
+# -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
+# -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
 
 
 ###############################################################################
@@ -94,7 +94,7 @@
 
 # Accept worldwide access to SSH and use SSHBRUTE chain for preventing 
 # brute-force attacks.
--A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE
+-A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
 
 # Permit needed ICMP packet types for IPv6 per RFC 4890
 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
@@ -136,7 +136,7 @@
 -A INPUT -p udp -m udp --sport 53 -j DROP
 
 # Good practise is to explicately reject AUTH traffic so that it fails fast
--A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
+-A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
 
 # Prevent DOS by filling log files
 -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: "