View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions nf_conntrack: automatic helper assignment is deprecated and
Log in to Ask a Question

nf_conntrack: automatic helper assignment is deprecated and

networking

Hi,

I'm getting this warning on my CentOS 6.3 box.
> nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

What does it want? What can I do for it?

Thanks.

13 Replies

this is my iptables

# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*security
:INPUT ACCEPT [18038905:2743115423]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*raw
:PREROUTING ACCEPT [18196073:2750419524]
:OUTPUT ACCEPT [10822373:32961232354]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*nat
:PREROUTING ACCEPT [327277:18343365]
:INPUT ACCEPT [282086:16034919]
:OUTPUT ACCEPT [1010678:73542387]
:POSTROUTING ACCEPT [1009394:72831137]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*mangle
:PREROUTING ACCEPT [18196073:2750419524]
:INPUT ACCEPT [18196065:2750417334]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10822373:32961232354]
:POSTROUTING ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-DOVECOT - [0:0]
:fail2ban-SMTP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-php-url - [0:0]
:fail2ban-squirrelmail - [0:0]
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-php-url
-A INPUT -p tcp -m multiport --dports 143,993,110,995 -j fail2ban-DOVECOT
-A INPUT -p tcp -m multiport --dports 443,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-SMTP
-A INPUT -p tcp -m tcp --dport 6969 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-php-url
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A INPUT -m recent --remove --name portscan --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A fail2ban-DOVECOT -j RETURN
-A fail2ban-SMTP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-squirrelmail -j RETURN
COMMIT
# Completed on Sun Nov 13 14:53:41 2011

110 views without a single reply… interesting :)

Well, if you must know:

1) I don't use CentOS

2) I don't directly use IPTABLES

3) I don't use fail2ban

4) I don't know anything about helper assignments

I assume most people reading this thread match one or more of those.

@Guspaz:

2) I don't directly use IPTABLES
+1

I'm not interested in people who can't help, I'm interested in people that

have something interesting to say :mrgreen:

@sblantipodi:

I'm not interested in people who can't help, I'm interested in people that

have something interesting to say :mrgreen:

Then don't whine about not getting replies.

@glg:

Then don't whine about not getting replies.
+1

I have done:

echo 0 > /proc/sys/net/netfilter/nfconntrackhelper

when I reboot I found a 1 in /proc/sys/net/netfilter/nfconntrackhelper instead of a 0.

Who put the zero there?

That is a bit of a philosophical question. However, it is a boolean value and something has to go there on boot, and the kernel has no way to remember what its state was when (and if) it was last booted. So, it picked 1.

Look into /etc/sysctl.conf

You'll get rid of the warning by removing "RELATED" from this line:

-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT

Kernel patch detailed here:

http://comments.gmane.org/gmane.linux.network/229974

Feature change explained at:

https://home.regit.org/netfilter-en/sec … f-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/

Sorry. A bit more reading (and testing) shows that one more thing must be done:

echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper

To make the above change persistent across reboots, edit /etc/sysctl.conf or create

/etc/sysctl.d/99-localfix.conf (for Ubuntu/Debian):

# Disable iptables deprecated helpers
# https://home.regit.org/netfilter-en/secure-use-of-helpers/
net.netfilter.nf_conntrack_helper=0

This will shut down the iptables connection tracking helpers totally. This disables support for a bunch of protocols (most of which you probably don't use anyway):

ftp, irc, sane, sip, tftp, amanda, h323, netbios_ns, pptp & snmp

Read the blog post linked above for details.

@cederberg:

Sorry. A bit more reading (and testing) shows that one more thing must be done:

echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper

To make the above change persistent across reboots, edit /etc/sysctl.conf or create

/etc/sysctl.d/99-localfix.conf (for Ubuntu/Debian):

# Disable iptables deprecated helpers
# https://home.regit.org/netfilter-en/secure-use-of-helpers/
net.netfilter.nf_conntrack_helper=0

This will shut down the iptables connection tracking helpers totally. This disables support for a bunch of protocols (most of which you probably don't use anyway):

ftp, irc, sane, sip, tftp, amanda, h323, netbios_ns, pptp & snmp

Read the blog post linked above for details.

thanks for the answer, I choosed to use the default centos kernel with pv-grub to get rid of many of this kind

of errors. now it works like a charm without warnings popping up randomically.

Ok. But unless CentOS patches their kernels in this regard, it will eventually get there as well.

This is a mainline kernel change, so it should reach everywhere eventually. Some distros might have better defaults, but Ubuntu 12.04 didn't at least.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct