| Linux - Kernel This forum is for all discussion relating to the Linux kernel. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
06-15-2006, 09:35 PM
|
#1
|
|
Guru
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Squeeze (x86)
Posts: 6,092
|
iptables kernel 2.6.16.19
I compiled a 2.6.16.19 kernel on a Debian Sarge laptop. I'm having some problems with getting any firewall to work. I'm just trying to get a typical client firewall as required by work on all machines on the network.
I've tried fwbuilder and guarddog. When I try to install the rules I setup, I get an error "iptables: No chain/target/match by that name". I assume that I missed something in my kernel compile since it works on the stock 2.6.8-3-686 kernel. I would just use the stock kernel, except that ACPI doesn't seem to work on that kernel with this laptop. Here's the output of lsmod:
Code:
Module Size Used by
xt_tcpudp 3584 28
ipt_REJECT 4608 4
xt_limit 2304 6
ipt_LOG 6400 6
ip_conntrack_ftp 6384 0
ip_conntrack 41868 1 ip_conntrack_ftp
iptable_filter 2560 1
ip_tables 10840 1 iptable_filter
x_tables 9732 5 xt_tcpudp,ipt_REJECT,xt_limit,ipt_LOG,ip_tables
snd_mixer_oss 16768 0
radeon 107936 1
drm 64148 2 radeon
ipv6 234496 12
parport_pc 25028 1
lp 9156 0
parport 32328 2 parport_pc,lp
snd_intel8x0 28956 0
snd_ac97_codec 91296 1 snd_intel8x0
snd_ac97_bus 2048 1 snd_ac97_codec
snd_pcm 76808 2 snd_intel8x0,snd_ac97_codec
snd_timer 20100 1 snd_pcm
snd 44388 5 snd_mixer_oss,snd_intel8x0,snd_ac97_codec,snd_pcm,snd_timer
snd_page_alloc 8840 2 snd_intel8x0,snd_pcm
i2c_i801 8076 0
i2c_core 17296 1 i2c_i801
generic 4484 0 [permanent]
intel_agp 20252 1
uhci_hcd 29840 0
usbcore 114948 2 uhci_hcd
i810_audio 32660 1
ac97_codec 18060 1 i810_audio
soundcore 7392 3 snd,i810_audio
e100 32132 0
mii 4992 1 e100
ohci1394 31280 0
yenta_socket 24076 0
rsrc_nonstatic 11776 1 yenta_socket
agpgart 28848 2 drm,intel_agp
joydev 8384 0
nls_iso8859_1 4096 1
nls_cp437 5760 1
vfat 10496 1
fat 47388 1 vfat
sr_mod 14244 0
sbp2 20868 0
scsi_mod 126824 2 sr_mod,sbp2
ieee1394 87864 2 ohci1394,sbp2
psmouse 38024 0
ide_generic 1408 0 [permanent]
ide_cd 38532 0
cdrom 37792 2 sr_mod,ide_cd
genrtc 8064 0
Are there any modules pertinent to firewalling that you can see missing??? |
|
|
|
|
06-16-2006, 12:27 AM
|
#2
|
|
Senior Member
Registered: Mar 2006
Posts: 1,896
Rep: 
|
Under some circumstances the "iptables" command can be out of sync with the kernel and cause problems. I was getting similar error messages once, and downloading the source for iptables and compiling it solved the problem. When you do this, you point the build script to the actual kernel source/configuration you are using.
Good luck.
Last edited by blackhole54; 06-16-2006 at 01:08 AM.
|
|
|
|
|
06-16-2006, 02:14 PM
|
#3
|
|
HCL Maintainer
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450
Rep:
|
iptables is compiled for a specific kernel. If it happens to work correctly between kernel upgrades, this is pure luck. When compiling the kernel, make sure to enable the netfilter stuff you want. Then, when compiling iptables, make sure to give it the build directory of the kernel for which it is supposed to run.
|
|
|
|
|
06-16-2006, 03:12 PM
|
#4
|
|
Guru
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Squeeze (x86)
Posts: 6,092
Original Poster
|
Do I just download the iptables source from the Sarge repository or do I need to download a tar.gz from another source? And does it matter which version I use with this particular kernel (the sarge version appears to be 1.2.11)?
|
|
|
|
|
06-16-2006, 03:53 PM
|
#5
|
|
HCL Maintainer
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450
Rep:
|
If you compiled a very recent vanilla kernel, I suggest you get the most recent iptables source (1.3.5) either from the netfilter site or from debian.
|
|
|
|
|
06-16-2006, 04:29 PM
|
#6
|
|
Guru
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Squeeze (x86)
Posts: 6,092
Original Poster
|
Thanks, guys. Everything compiled fine and if I run /usr/local/sbin/iptables -V, then I get version 1.3.5 listed.
Okay, new question directly related. So how do I make guarddog use those iptables instead of the ones in /sbin? The new iptables are in /usr/local/sbin, which is in root's path (I have to enter the root password to use guarddog, so I assume it's running as root). But I keep getting the same errors which imply to me that the program is using the wrong iptables...
Maybe I'll just reinstall fwbuilder, I feel like I remember it having a place to put in the path to the iptables you wanted to use.
Oh, another question, should I point the program to use "iptables" or "ip6tables" if there's only one configurable?
Last edited by pljvaldez; 06-16-2006 at 04:30 PM.
|
|
|
|
|
06-17-2006, 06:36 AM
|
#7
|
|
Senior Member
Registered: Mar 2006
Posts: 1,896
Rep:
|
Quote:
|
Originally Posted by pljvaldez
So how do I make guarddog use those iptables instead of the ones in /sbin? The new iptables are in /usr/local/sbin, which is in root's path (I have to enter the root password to use guarddog, so I assume it's running as root). But I keep getting the same errors which imply to me that the program is using the wrong iptables...
|
Which version gets used depends on what guarddog does. If it generates a bash script you can look at the script and see whether it specifies a path to iptables. I.e. do the lines start with "iptables ..." or dothey start with /sbin/iptables ..." In the first case, if /usr/local/sbin is in $PATH before /sbin, then your new copy will be used. If it specifies the path, you either need to convince it to specify the right path, hand edit the script, or (using your package manager) remove the /sbin/iptables and replace it with a symlink pointing to the new one. (that last option is really ugly!)
If you have have verified that it is using the new version and you are still getting errors, your first thought about not having the right module compiled might be correct. If you have both kernels handy (you did keep the old one, didn't you?  ) and can easily get each to use the proper copy of iptables, you might , in each case, save the output of lsmod to a file and compare them to see the difference. (The cut, sort and diff utitlities can help you compare them.)
Alternatively, you could try to see which iptable command(s) is generating the error(s). If the output of guarddog or fwbuilder is a bash script, you can manully add "set -x" to the beginning of the script, which will list each command as it executes so you can see what command(s) is generating the error(s).
.
Quote:
|
Originally Posted by pljvaldez
Oh, another question, should I point the program to use "iptables" or "ip6tables" if there's only one configurable?
|
ip6tables is for IPv6. I have no experience with v6, but unless you feel confident your are using v6, you are probably using IPv4, and iptables will work fine. |
|
|
|
|
06-17-2006, 01:12 PM
|
#8
|
|
Guru
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Squeeze (x86)
Posts: 6,092
Original Poster
|
Thanks. I actually ended up solving this problem a little differently. I went back and just compiled in all the iptables stuff instead of loading modules. Now it all seems to work with whatever firewall I use.
In the end I decided on using firestarter, which is kinda nice to work with because you can modify it easily on the fly and see what types of events are being hit on.
I still like fwbuilder for constructing my own, but the examples folder of the fwbuilder-doc is missing the init.d scripts and I'm not sure I would know how to write my own.
Thanks for everyone's help!
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 04:27 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
