A quick one so as not to lose the rhythm :) it appears that the state match in iptables has been deprecated in favor of conntrack.
A quick sed on your firewall script should suffice:
s/-m state --state/-m conntrack --ctstate/g
