$ sudo genlop -lu | grep iptables | tail -3 Tue May 8 08:51:55 2012 >>> net-firewall/iptables-1.4.13 Mon Nov 26 01:46:33 2012 <<< net-firewall/iptables-1.4.13 Mon Nov 26 01:46:39 2012 >>> net-firewall/iptables-220.127.116.11Yesterday, I noticed there was an error or warning during booting, but I just assumed that's some net device was about to be brought up, didn't read the exact message. Today, I read it:
$ sudo /etc/init.d/iptables start * Loading iptables state and starting firewall ... WARNING: The state match is obsolete. Use conntrack instead. iptables-restore v18.104.22.168: state: option "--state" must be specified Error occurred at line: 26 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [ !! ] * ERROR: iptables failed to startFour days, four boots, should've paid more attention.
The problem line was like:
[52:3148] -A INPUT -s ###.###.###.### -p tcp -m state -m tcp --dport ### -j ACCEPTAfter I remove six lines with
-m state, the rules
/var/lib/iptables/rules-savewere loaded successfully. Don't know why I had those and didn't use to match state actually.
If you used state match, then you need to change it to be
-m conntrack --ctstate [STATELIST]with kernel configuration
man 8 iptables-extensions.