[SOLVED] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon.

Support for security such as Firewalls and securing linux
Post Reply
sblantipodi
Posts: 252
Joined: 2009/07/10 09:43:13
Contact:

[SOLVED] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon.

Post by sblantipodi » 2012/12/09 14:07:00

Hi,
I'm getting this warning on my CentOS 6.3 box.
[quote] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.[/quote]

What does it want? What can I do for it?
Thanks.

this is my iptables

[code]
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*security
:INPUT ACCEPT [18038905:2743115423]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*raw
:PREROUTING ACCEPT [18196073:2750419524]
:OUTPUT ACCEPT [10822373:32961232354]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*nat
:PREROUTING ACCEPT [327277:18343365]
:INPUT ACCEPT [282086:16034919]
:OUTPUT ACCEPT [1010678:73542387]
:POSTROUTING ACCEPT [1009394:72831137]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*mangle
:PREROUTING ACCEPT [18196073:2750419524]
:INPUT ACCEPT [18196065:2750417334]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10822373:32961232354]
:POSTROUTING ACCEPT [10817526:32960151203]
COMMIT
# Completed on Sun Nov 13 14:53:41 2011
# Generated by iptables-save v1.4.7 on Sun Nov 13 14:53:41 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-DOVECOT - [0:0]
:fail2ban-SMTP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-php-url - [0:0]
:fail2ban-squirrelmail - [0:0]
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-php-url
-A INPUT -p tcp -m multiport --dports 143,993,110,995 -j fail2ban-DOVECOT
-A INPUT -p tcp -m multiport --dports 443,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-SMTP
-A INPUT -p tcp -m tcp --dport 6969 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-php-url
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A INPUT -m recent --remove --name portscan --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6969 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A fail2ban-DOVECOT -j RETURN
-A fail2ban-SMTP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-squirrelmail -j RETURN
COMMIT
# Completed on Sun Nov 13 14:53:41 2011

[/code]

sharadchhetri
Posts: 36
Joined: 2012/12/12 18:06:19
Location: India
Contact:

Re: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptable

Post by sharadchhetri » 2012/12/12 21:32:40

What is the kernal version .Give the output of uname -ar command

It seems the module nf_conntrack is not loaded and it is giving problem with iptable.
try below command -
modprobe nf_conntrack

or

Edit in /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack nf_conntrack"

Restart the iptable.

Give the feedback.

sblantipodi
Posts: 252
Joined: 2009/07/10 09:43:13
Contact:

Re: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptable

Post by sblantipodi » 2012/12/12 21:36:16

I thanks for the answer, I was using a kernel from my VPS vendor, now I'm using a centos kernel and all is ok,
so problem solved.

thanks!!!

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

[SOLVED] nf_conntrack: automatic helper assignment is deprec

Post by AlanBartlett » 2012/12/12 22:11:44

Thank you for reporting back.

On your behalf and for posterity, this thread is now marked [SOLVED].

sblantipodi
Posts: 252
Joined: 2009/07/10 09:43:13
Contact:

Re: [SOLVED] nf_conntrack: automatic helper assignment is deprecated . . .

Post by sblantipodi » 2012/12/12 22:13:28

Thank you for all your good work Alan.

Post Reply