iptables modules description

Hammo · 05-18-2012, 02:28 AM

Hi all,

I am looking for a description of the iptables modules (e.g. nf_conntrack_ftp) that can be loaded when iptables starts: IPTABLES_MODULES directive in /etc/sysconfig/iptables-config

I have been trying to search google for this for hours with no luck.

I would really appreciate if someone could direct me to where I can find this information.

Regards

wildwizard · 05-18-2012, 06:34 AM

Probably isn't a list as it isn't needed, the info is right there if you know what the shortened names mean.

nf_conntrack_ftp

nf - netfilter
conntrack - connection tracker
ftp - the protocol this is for

You can also dump the info from the modules themselves with this :-

Code:

cd /lib/modules/$(uname -r)/kernel/net/netfilter/
modinfo *.ko | grep -e "filename:" -e "description:"

Hammo · 05-18-2012, 07:21 AM

this is really useful.. thanks a lot!

one more thing.. in the iptables config file it says that by default no modules are loaded unless specified in the directive.. however connection tracking does work without adding nf_conntrack in there.. are there some modules that are loaded by default? and if yes, how can we find out which ones these are?

cheers!

wildwizard · 05-19-2012, 02:57 AM

2 points there

1 iptables does not have a config file, so whatever your looking at is distro specific
2 kernel module loading allows you to load a module that depends on other not yet loaded modules by on-demand loading of the other modules

so "modprobe nf_conntrack_ftp" will also pull in "nf_conntrack"

Hammo · 05-21-2012, 01:07 AM

so is there a way to find out which modules loads which other modules?

when i run an lsmod I get the following:

[root@rhce log]# lsmod | grep nf
nf_nat_ftp 3473 0
nf_conntrack_ftp 12911 1 nf_nat_ftp
nf_nat 22788 3 nf_nat_ftp,ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 9440 6 iptable_nat,nf_nat
nf_defrag_ipv4 1449 1 nf_conntrack_ipv4
nf_conntrack_ipv6 19655 2
nf_conntrack 79643 8 nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt _state
ipv6 321209 30 ip6t_REJECT,nf_conntrack_ipv6

I would expect this means that nf_conntrack loads nf_conntrack_ftp as well, but when I put nf_conntrack only in the iptables-config file the ftp inspection does not work (ls from remote ftp session). Only when I put nf_conntrack_ftp in the iptables-config file than ftp inspection works.

Any comments on that?

wildwizard · 05-23-2012, 04:45 AM

Quote:

Originally Posted by Hammo

I would expect this means that nf_conntrack loads nf_conntrack_ftp as well, but when I put nf_conntrack only in the iptables-config file the ftp inspection does not work (ls from remote ftp session). Only when I put nf_conntrack_ftp in the iptables-config file than ftp inspection works.

Any comments on that?

Your reading it back to front.

The modules on the right depend on the ones on the left, the column header kinda gives a hint.