|
ipchains?? iptables? whats goin on?
I upgraded my RH7 to RH7.2.
When i tried to initiate my ipchains script it said ipchains is not support in this kernel. (2.4.7-10) So i tried to see if RH at least put iptables on the disk. nope. well finally i became crafty for once today and said modprobe ipchains. Well it worked and the script went through, but my question is how do I get iptables (i hear its better). Also is there a script I could have to use iptables so I won't have to learn iptables right now. ( I plan on learning them, but now until the inet connection is back up.) Thanks in advance. |
I have a script that one of the security moderators uploaded. I don't know where it is located anymore but if you e-mail me I can send it to you. Iptables is installed on RH7.2 by default at least it was when I did the install. You need to run setup to disable ipchains in order to run iptables. You can also completely remove ipchains, to do this you must do the following.
rpm -e lokkit (default firewall) rpm -e ipchains I really like iptables but then again I never played with ipchains. If you need any instructions on setting it up or want any special things let me know and I will try and help. |
iptables
Below is a the link to get the latest iptables and a small script to get things going, remember its a small script just to get you going:
http://netfilter.samba.org/ #!/bin/sh # # rc.firewall - Initial SIMPLE IP Masquerade test for 2.4.x kernels using IPTABLES. echo -e "\n\nLoading simple rc.firewall \n" # The location of the 'iptables' program IPTABLES=/usr/local/sbin/iptables echo -en " loading modules: " # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" /sbin/depmod -a # Supports the proper masquerading of FTP file transfers using the PORT method # /sbin/modprobe ip_masq_ftp # # CRITICAL: Enable IP forwarding since it is disabled by default since # Redhat Users: you may try changing the options in # /etc/sysconfig/network from # FORWARD_IPV4=false # to # FORWARD_IPV4=TRUE echo " enabling forwarding.." echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr echo 1 > /proc/sys/net/ipv4/ip_always_defrag # # Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP # echo " clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT #$IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT #$IPTABLES -F OUTPUT #$IPTABLES -P FORWARD DROP $IPTABLES -P FORWARD ACCEPT #$IPTABLES -t nat -F echo " Enabling SNAT (MASQUERADE) functionality on eth0" $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to x.x.x.x <- put your public ip address here $IPTABLES -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -L -n echo -e "\nrc.firewall-2.4 done.\n" |
Pardon me for chiming in, but I have a newbie question to ask:
If I were to run your firewall script, how would I (a) run it at this moment and (b) set it up to be run at boot time? (I'm not yet versed in writing and running UNIX-style scripts...) Thanks! |
first you would copy the entire script into a file using a text editor such as pico. Then you would use chmod to add the appropriate executable flags (ie chmod -x name_of_file). Once you have done this the next thing you do is type in
./location/of/file/name_of_file that will start the file. To make it run at startup you will need to edit oen of your startup scripts and append it in there. I am running Redhat and this is how I did it. Assume the following: firewall script is named firewall.txt located in /root I edited the file /etc/init.d/network it should look something like this: #askdjf # # start) asdf sdaf v v v . /root/firewall.txt ;; stop) more stuff continues I personally like to stat mine from this location b/c it is then imediately started after my NIC cards are loaded. |
Pardon me for chiming in, but I have a newbie question to ask:
If I were to run your firewall script, how would I (a) run it at this moment and (b) set it up to be run at boot time? (I'm not yet versed in writing and running UNIX-style scripts...) Thanks! |
i installed iptables-1.2.4-2.i386.rpm and I found the binary 'iptables' in /sbin. When i tried to run a IPtables script it failed. An gave me an error message. Here is a chunk of it:
dule: Device or resource busy Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.4: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. The last line scares me the most because I would think RH7.2 would have an appropriate kernel. The kernel version is 2.4.7-10. Thanks in advance. |
Quote:
an easy way to check if iptables is working is: iptables -L this will list what is currently in the main set of tables. |
With the command ntsysv you can select or deselect al the things you want to run at startup (if they are installed)
To start the firewall you can also put a line in /etc/rc.d/rc.local like /root/firewall (if your firewall is called firewall and is located in /root The way bbenz3 does it works also and is maybe more secure!! The second way to start it is to get it going only when a adsl or cable connection is enabled then you can put a file called ip-up.local in /etc/ppp In the file ip-up.local add the line /root/firewall (for example) do a chmod 755 ip-up.local Now when a connection is made the firewall starts up. |
With the command ntsyv you can select or deselect al the things you want to run at startup (if they are installed)
To start the firewall you can also put a line in /etc/rc.d/rc.local like /root/firewall (if your firewall is called firewall and is located in /root The way bbenz3 does it works also and is maybe more secure!! The second way to start it is to get it going only when a adsl or cable connection is enabled then you can put a file called ip-up.local in /etc/ppp In the file ip-up.local add the line /root/firewall (for example) do a chmod 755 ip-up.local Now when a connection is made the firewall starts up. |
I changed the config with ntsysv. I deselected ipchains. ipchains and iptables were both selected i restarted. I ran my script again and i got the same errors about a busy resource.
Any ideas? I'm stumped. |
You could try to compile your kernel again with all the netfilter options on
I do not know why the modules are not found But you could try to install the kernel-source rpm its takes about 105 Mb on your disk but there are the modules. And also upgrade the 7.2 OS run rhn_register and up2date Succes |
try this:
insmod iptables iptables -L and see what you get. if that works then try running your script and then do the "iptabels -L" again. |
ok, i used up2date yesterday March 10th. There were not any updates expect for OpenSSH. I did an insmod on ip_tables thats the module in see in /usr/src/linux/.../netfilter/ip_tables.o
I get those error message when i do the iptables -L and also the insmod ip_tables. I will try the kernel source RPM's if it won't hurt my system. If it won't damage my box where can i get the RPM? Anyway I though that ipchains would not work in kenerl 2.4.x I'm using it right now to MASQ internal traffic?! Thanks in advance. |
you can't use both ipchains and iptables. in order for iptables to work ipchains must be turned off in setup and then do a restart. I found this out the hardway. Try doing that and see if that could be the problem.
|
| All times are GMT -5. The time now is 03:24 AM. |