Fedora Core 2 iptables troubles

scardali · 11-09-2004, 04:33 PM

Howdy all. I had setup a fairly simple, three subnet network I need for testing, on a Linux Redhat 7.3, 2.4.20-28 router. I needed to upgrade the router to FC2, and 2.6.8 kernel. Since then, my iptables script no longer works. I currently have iptables v 1.2.9 installed. I can bring up the service fine, but when I try to fire off the script I am getting a some modules it attempts to load cannot be found.

clip from rc.firewall script:
--------------------------------

echo -en "iptable_nat, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$INSMOD iptable_nat
fi

corresponding error:
--------------------------

- Verifying that all kernel modules are ok
Loading kernel modules: ip_tables, ip_conntrack, ip_conntrack_ftp,
insmod: can't read 'ip_conntrack_ftp': No such file or directory
ip_conntrack_irc, insmod: can't read 'ip_conntrack_irc': No such file or directory
iptable_nat, insmod: can't read 'iptable_nat': No such file or directory
ip_nat_ftp
insmod: can't read 'ip_nat_ftp': No such file or directory

Any help would be appreciated!

Sal C.

peter_robb · 11-11-2004, 02:33 PM

Could be several things..

1st. to check is that the iptables rpm is for FC2..
Make sure there is only that iptables rpm installed.. do which -a iptables and rpm -ql iptables to verify the correct iptables prog is being used..

2nd. the modutils program needs to know about kernel v 2.6.8 Make sure it is the latest version available..
It won't be able to load some modules if it's incorrect..

3rd. check in /lib/modules/2.6.8~/kernel/net/ipv4/netfilter/ and see if the modules are there..

scardali · 11-11-2004, 03:17 PM

Peter, thanks so much for your reply.

I was able to answer questions 1 and 3 that you posed, but I get "command not found" for modutils. I searched the entire drive for modutils "find / -name modutils" and came up with nothing. Not sure if I am missing something there, but I suspect this is where the problem lies.

Each of the modules that are reporting errors are in /lib/modules/2.6.8-1.521/kernel/net/ipv4/netfilter/, so that shouldn't be it.

As far as what version of iptables is being used. As far as I can tell, it executes from /sbin/iptables, and I do see that in the list that comes up from your commands.

Thanks so much for your help.

Sal C.

peter_robb · 11-11-2004, 03:43 PM

modutils is the package name..
It provides the modprobe prog amongst others..

Do you only have 1 iptables prog or did you find 2?

scardali · 11-11-2004, 04:04 PM

Heya Peter, only found one. This was my output:

----------------------

[root@jwac-lab-rtr root]# which -a iptables
/sbin/iptables
[root@jwac-lab-rtr root]# rpm -ql iptables
/etc/rc.d/init.d/iptables
/etc/sysconfig/iptables-config
/lib/iptables
/lib/iptables/libipt_CLASSIFY.so
/lib/iptables/libipt_CONNMARK.so
/lib/iptables/libipt_DNAT.so
/lib/iptables/libipt_DSCP.so
/lib/iptables/libipt_ECN.so
/lib/iptables/libipt_LOG.so
/lib/iptables/libipt_MARK.so
/lib/iptables/libipt_MASQUERADE.so
/lib/iptables/libipt_MIRROR.so
/lib/iptables/libipt_NETMAP.so
/lib/iptables/libipt_NOTRACK.so
/lib/iptables/libipt_REDIRECT.so
/lib/iptables/libipt_REJECT.so
/lib/iptables/libipt_SAME.so
/lib/iptables/libipt_SNAT.so
/lib/iptables/libipt_TARPIT.so
/lib/iptables/libipt_TCPMSS.so
/lib/iptables/libipt_TOS.so
/lib/iptables/libipt_TRACE.so
/lib/iptables/libipt_TTL.so
/lib/iptables/libipt_ULOG.so
/lib/iptables/libipt_ah.so
/lib/iptables/libipt_connlimit.so
/lib/iptables/libipt_connmark.so
/lib/iptables/libipt_conntrack.so
/lib/iptables/libipt_dscp.so
/lib/iptables/libipt_ecn.so
/lib/iptables/libipt_esp.so
/lib/iptables/libipt_helper.so
/lib/iptables/libipt_icmp.so
/lib/iptables/libipt_iprange.so
/lib/iptables/libipt_length.so
/lib/iptables/libipt_limit.so
/lib/iptables/libipt_mac.so
/lib/iptables/libipt_mark.so
/lib/iptables/libipt_multiport.so
/lib/iptables/libipt_owner.so
/lib/iptables/libipt_physdev.so
/lib/iptables/libipt_pkttype.so
/lib/iptables/libipt_realm.so
/lib/iptables/libipt_recent.so
/lib/iptables/libipt_rpc.so
/lib/iptables/libipt_standard.so
/lib/iptables/libipt_state.so
/lib/iptables/libipt_tcp.so
/lib/iptables/libipt_tcpmss.so
/lib/iptables/libipt_tos.so
/lib/iptables/libipt_ttl.so
/lib/iptables/libipt_udp.so
/lib/iptables/libipt_unclean.so
/sbin/iptables
/sbin/iptables-restore
/sbin/iptables-save
/usr/share/doc/iptables-1.2.9
/usr/share/doc/iptables-1.2.9/COPYING
/usr/share/doc/iptables-1.2.9/INCOMPATIBILITIES
/usr/share/doc/iptables-1.2.9/INSTALL
/usr/share/man/man8/iptables-restore.8.gz
/usr/share/man/man8/iptables-save.8.gz
/usr/share/man/man8/iptables.8.gz

-----------------------------

Correct me if I am wrong, but there is only v 1.2.9 here... unless I am missing something.

Thanks for your help!

Sal C.

peter_robb · 11-17-2004, 02:29 PM

Ok.. it looks like the correct version is there..
If it was all installed as part of FC2 it should be..

So it looks like the question is how come the modules can't be found..

Do depmod -a and look for module dependency errors..
Also make sure the latest modutils rpm is installed.. rpm -q modutils
should be modutils-2.4.26-16..

Then practise loading the modules manually with modprobe ip_conntrack_ftp etc..

How did you perform the upgrade?
Doing an upgrade, it is always possible old progs are still on the drive and something is calling them either from /etc/rc.d/rc3.d or from /etc/rc.d/rc.local
Have a close look at these init scripts to make sure what they are calling is the FC2 version..
In particular the rc.firewall script.. Make sure the file definitions in the beginning of the script are valid..