iptables kernel 2.6.16.19
I compiled a 2.6.16.19 kernel on a Debian Sarge laptop. I'm having some problems with getting any firewall to work. I'm just trying to get a typical client firewall as required by work on all machines on the network.
I've tried fwbuilder and guarddog. When I try to install the rules I setup, I get an error "iptables: No chain/target/match by that name". I assume that I missed something in my kernel compile since it works on the stock 2.6.8-3-686 kernel. I would just use the stock kernel, except that ACPI doesn't seem to work on that kernel with this laptop. Here's the output of lsmod: Code:
Module Size Used by |
Under some circumstances the "iptables" command can be out of sync with the kernel and cause problems. I was getting similar error messages once, and downloading the source for iptables and compiling it solved the problem. When you do this, you point the build script to the actual kernel source/configuration you are using.
Good luck. |
iptables is compiled for a specific kernel. If it happens to work correctly between kernel upgrades, this is pure luck. When compiling the kernel, make sure to enable the netfilter stuff you want. Then, when compiling iptables, make sure to give it the build directory of the kernel for which it is supposed to run.
|
Do I just download the iptables source from the Sarge repository or do I need to download a tar.gz from another source? And does it matter which version I use with this particular kernel (the sarge version appears to be 1.2.11)?
|
If you compiled a very recent vanilla kernel, I suggest you get the most recent iptables source (1.3.5) either from the netfilter site or from debian.
|
Thanks, guys. Everything compiled fine and if I run /usr/local/sbin/iptables -V, then I get version 1.3.5 listed.
Okay, new question directly related. So how do I make guarddog use those iptables instead of the ones in /sbin? The new iptables are in /usr/local/sbin, which is in root's path (I have to enter the root password to use guarddog, so I assume it's running as root). But I keep getting the same errors which imply to me that the program is using the wrong iptables... Maybe I'll just reinstall fwbuilder, I feel like I remember it having a place to put in the path to the iptables you wanted to use. Oh, another question, should I point the program to use "iptables" or "ip6tables" if there's only one configurable? |
Quote:
If you have have verified that it is using the new version and you are still getting errors, your first thought about not having the right module compiled might be correct. If you have both kernels handy (you did keep the old one, didn't you? :) ) and can easily get each to use the proper copy of iptables, you might , in each case, save the output of lsmod to a file and compare them to see the difference. (The cut, sort and diff utitlities can help you compare them.) Alternatively, you could try to see which iptable command(s) is generating the error(s). If the output of guarddog or fwbuilder is a bash script, you can manully add "set -x" to the beginning of the script, which will list each command as it executes so you can see what command(s) is generating the error(s). . Quote:
|
Thanks. I actually ended up solving this problem a little differently. I went back and just compiled in all the iptables stuff instead of loading modules. Now it all seems to work with whatever firewall I use.
In the end I decided on using firestarter, which is kinda nice to work with because you can modify it easily on the fly and see what types of events are being hit on. I still like fwbuilder for constructing my own, but the examples folder of the fwbuilder-doc is missing the init.d scripts and I'm not sure I would know how to write my own. Thanks for everyone's help! |
All times are GMT -5. The time now is 10:10 PM. |