support for iptables in woody 3.0r1

ridertech · 12-30-2003, 11:50 AM

I'm running Debian 'Woody' 3.0r1 and was wondering about its support for iptables. I confirmed that I have the latest version of iptables from apt-get, but..

# iptables -L
modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table 'filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel need to be upgraded.

A related issue was on Debians lists...
http://lists.debian.org/debian-user/.../msg00621.html

Given all this, it still was not clear as to what is the ideal method for making iptables work...
1.) Run insmod as suggested by my error (staying w/ Woody 3.0r1)
2.) Download and compile Debian's latest distribution (Woody 3.0r2)
3.) Get the new 2.6 kernel

2.6 sounds promising, but I'm nervous about my first kernel update.

HappyTux · 12-30-2003, 05:48 PM

Quote:

Originally posted by ridertech
I'm running Debian 'Woody' 3.0r1 and was wondering about its support for iptables. I confirmed that I have the latest version of iptables from apt-get, but..

# iptables -L
modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table 'filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel need to be upgraded.

A related issue was on Debians lists...
http://lists.debian.org/debian-user/.../msg00621.html

Given all this, it still was not clear as to what is the ideal method for making iptables work...
1.) Run insmod as suggested by my error (staying w/ Woody 3.0r1)
2.) Download and compile Debian's latest distribution (Woody 3.0r2)
3.) Get the new 2.6 kernel

2.6 sounds promising, but I'm nervous about my first kernel update.

What kernel do you have running? If you installed the default 2.2.20 IIRC then you would need ip_chains if you are running the 2.4.18-bf2.4 install kernel you should have all the necessary modules already available at least they are there on my firewall machine you may want to grep your config to see if they are there you are looking for the IP_NF ones:

Code:

stephen@SleepyTux:~$ grep IP /boot/config-2.4.18-bf2.4
CONFIG_SYSVIPC=y
CONFIG_MD_MULTIPATH=m
CONFIG_IP_MULTICAST=y
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_COMPAT_IPFWADM=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IPX=m
CONFIG_IDE_CHIPSETS=y
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_TULIP=m
CONFIG_HIPPI=y
CONFIG_PLIP=m
CONFIG_STRIP=m
CONFIG_IPHASE5526=m
CONFIG_WANPIPE_CHDLC=y
CONFIG_WANPIPE_FR=y
CONFIG_WANPIPE_X25=y
CONFIG_WANPIPE_PPP=y
CONFIG_WANPIPE_MULTPPP=y
CONFIG_HISAX_FRITZ_PCIPNP=m
CONFIG_I2C_PHILIPSPAR=m
CONFIG_USB_SERIAL_IPAQ=m

llamakc · 12-30-2003, 06:08 PM

And to correct your confusion: moving to Debian 3.0r2 requires ZERO compiling. Debian packages are binaries. Sounds like you haven't compiled a home-rolled kernel and are using the install kernel. Do uname -a and see if its 2.2.XXX: if so, use ipchains as mentioned above. If bf24, run the command "modconf" as root and insert the iptables module.

ridertech · 12-30-2003, 08:40 PM

# uname -a
Linux ... 2.2.20-idepci ...

I'm aware that iptables wasn't available in the 2.2 kernel, but when I try to list the ipchains it returns an error...

# ipchains -L
ipchains: Incompatible with this kernel

Also, only iptables is listed in /etc/init.d/

ridertech · 12-31-2003, 12:27 PM

I find it hard to believe that firewalling Woody would be such a mess. If ipchains is incompatible and iptables can't be initialized, then there seems to be a major security flaw. The frustrating part is that I continually see related posts, but the solution remains vague and weakly-documented. Woody is popular, so how did everyone get around this?

------------------------------------------------------
Just to confirm...

Debian 'Woody' 3.0r1 (2.2.20-idepci)

# ipchains -L
ipchains: Incompatible with this kernel

# iptables -L
modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptales table 'filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Also, only iptables is listed in /etc/init.d/
------------------------------------------------------

I'd like to avoid messing with the kernel if possible I looked into moving to the 2.6 kernel, but 2.6 is poorly documented for all distributions. There were a ton of posts about specifics and problems updating Woody's kernel to 2.4.22 (or is it 2.4.23).

Basically, I'm concerned about firewalling for security purposes, not sure why it is not working with a clean install of Woody.

Can someone please point me in the right direction, I've racked my brain for keyword combinations through Google.com (and the newly discovered http://www.google.com/linux)

llamakc · 12-31-2003, 12:53 PM

Do this:

apt-cache search kernel-image

You'll get tons back like:

kernel-image-2.4.18-1-386 - Linux kernel image for version 2.4.18 on 386.
kernel-image-2.4.18-1-586tsc - Linux kernel image for version 2.4.18 on Pentium-Classic.
kernel-image-2.4.18-1-686 - Linux kernel image 2.4.18 on PPro/Celeron/PII/PIII/PIV.
kernel-image-2.4.18-1-686-smp - Linux kernel image 2.4.18 on PPro/Celeron/PII/PIII/PIV SMP.
kernel-image-2.4.18-1-k6 - Linux kernel image for version 2.4.18 on AMD K6/K6-II/K6-III
kernel-image-2.4.18-1-k7 - Linux kernel image for version 2.4.18 on AMD K7
kernel-image-2.4.18-bf2.4 - Linux kernel image for version 2.4.18 (bf variant) on 386.
pcmcia-modules-2.4.18-bf2.4 - PCMCIA Modules for Linux (kernel 2.4.18-bf2.4).

Chose the one you want and install it with apt-get. This way you don't have to run through the installer again and choose bf24 at the install prompt (which would have given you a iptables-compatible 2.4 kernel).

You need a different kernel for iptables and it should be 2.4.X. There are many Debian packages that will make this very, very easy to do.

Good luck.

ridertech · 12-31-2003, 01:38 PM

Worked like a charm. Thanks, that was painless.

# apt-cache search kernel-image
# apt-get install kernel-image-2.4.18-686

* Not sure about the exact placement, but I got a message to do this...
# vi /etc/lilo.conf
(Added 'initrd=/initrd.img' after default=Linux and before image=/vmlinuz)

Restarted and now iptables -L works!

Thanks again.

ridertech · 12-31-2003, 06:36 PM

Somehow my Internet connection is no longer working after updating my kernel.

I originally set everything up during the install process, but not sure what to do to get it working again. Only the lo interface is displayed in ifconfig. I did find /etc/network/interfaces and it has all the info. What do I need to do to get this started upon boot?

auto eth0
iface eth0 inet static
address ...
netmask ...
network ...
broadcast ...
gateway ...

llamakc · 12-31-2003, 06:43 PM

Is eth0 seen by ifconfig? What is the output of lspci -v? Most likely you ONLY need to run "modconf" as root and insert the proper module for your NIC. That will let you ifup eth0 just fine.

ridertech · 12-31-2003, 07:20 PM

# lspci -v
(shows my ethernet controller and loopback)

# ifup eth0
ifup: interface eth0 already configured

# ifconfig
(shows only lo)

llamakc · 12-31-2003, 07:26 PM

Have you tried ifdowning it? ifdown eth0

And then ifup eth0

Was there anything in dmesg when you rebooted about eth?

dmesg | grep eth0

Weird that its not working.

ridertech · 12-31-2003, 10:04 PM

Very weird...

# dmesg | grep eth0
(nothing)

# ifdown eth0
SIOCSIFADDR: No such device

# ifup eth0
eth0: ERROR while getting interface flags: No such device
SIOCSIFNETMASK: No such device
SIOCSIFBRDADDR: No such device
eth0: ERROR while getting interface flags: No such device
eth0: ERROR while getting interface flags: No such device

Metroid · 08-15-2004, 08:01 PM

I just had this same problem.

I upgraded kernel for iptables and now eth0 is gone.
It isnt listed in /dev/

lspci finds and reports it as a:
3Com Corperation 3c590 10BaseT [Vortex]

Im guessing that i lost support for my card with the upgrade perhaps...

Any thoughts?

EDIT: Also im going to buy a new card regardless tomorow. Hopefully that will make a difference.

NH.net · 10-10-2004, 09:00 AM

Perhaps you guys have already solved this ...

I could solve the problem above by hitting:

# modprobe 8139too

and after that,

# /etc/init.d/networking restart

Maybe it's just a proper module (in my case, it's 8139too) wasn't used.