iptables (trustix) error
 

After installing trustix, I took a firewall confiig and placed it in /etc/sysconfig/iptables. I recieved the following error:

#service iptables restart

Flushing current rules and chains [ OK ]
Clearing current rules and chains [ OK ]
Resetting default rules to ACCEPT:
[ OK ]
Unloading iptables modules: .................................................
Loading iptables modules: .................................................
Flushing current rules and chains [ OK ]
Clearing current rules and chains [ OK ]
Loading new rulesiptables-restore v1.2.8: iptables-restore: unable to initializetable 'mangle
'

Error occured at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[FAILED]


errrrrrrrrr LOL

Any ideas on how to fix this? I tried iptables-restore with/out the different options, but it just hangs.

This same config file works just fine on a buddy of mine's trustix install. I can play the defualt config back in and it works, but that's basically blank. I could try to command-line every one, but then it doesn't save to the iptables file.

Any ideas (please)? Google didn't help me one bit on this one. :(

TIA,

-joseph

If you can create the rules you want from the command line or from a script file then you can create a new iptables file in /etc/sysconfig/

First clear the rules.

service iptables stop

Setup the rules manually as you want them.


Now save it to the config file like this..

iptables-save > /etc/sysconfig/iptables


that's it
service iptables start
service iptables restart

So, my problem really is: one cannot just drop in an iptables file with the configuration from another system and restart iptables?

I have a buddy who supposedly did that and his works fine. I don't know...

So, what I need to do is create an install script or enter each rule from the command line to get things working, and then do what you said to do?

Thanks for your help, as I have a few books open and going nutz here. :D

-joseph

I just checked with my friend and he said all he did was drop it in and restart service.

I installed with two nics and one is a little wacky. Do you think this could have something to do with this problem?

Thanks again,

-joseph

The difference could be that you need to load some modules, or maybe you are trying to do something that your kernel is not configured to support.

By entering rules manually it is easier to see what's failing and what to do next. Since you said you could enter it manually it sounded like the easiest route to take at the moment. Then when you find the bad rule you can fix the problem. It is almost certainly a module that needs to be built or loaded.

Just from your post I would say it's this module..
iptable_mangle.o

if that's you only error.

you can try this..

depmod -ae
modprobe iptable_mangle

If that fails to find a module then that's your first problem. You will need to build the module from the kernel-source

Thanks for your response.

I did what you said, and there was no output whatsoever. I am guessing that means things are ok?

The crazy thing is, this is the same EXACT script my buddy used on his system (trustix 2.0) and it worked like a charm. That's wacky, man!

I am going to hit the hay right now, as it is 3:00 am where I am. I will go through the configuration by hand tomorrow and see what happens.

Also, so you know, I took out the wacky NIC and reinstalled. Only takes 10 mintues with Trustix, eh. Still the same error message. I have no clue here!

Thanks again, and if you or anyone else have any comments or suggestions, it would be greatly appreciated.

-joseph

#lsmod |grep ip
iptable_filter 1644 0 (autoclean) (unused)
ip_tables 12512 1 [iptable_filter]

Maybe this will help get us (well you guys) get a little further.

Thanks...and I am really going to bed this time! 4:00 am!

;)

-joseph

Ps. See you in a few hours!
:scratch:

When a new rule is entered the required module should be loaded. It depends on the rules as to which modules you will need.

Yes, I read that right after I posted and actually took out a huge file I put into the post. You know a little sleep can be good for the brain. Sometimes sitting too close to the computer for too many hours straight keeps the forest from being seen and lowers the IQ, eh. ;) I should have turned in a long time before I did last night. I still went to bed with two books and was up for another 2 hours. Little tired right now, eh.

I will be putting together a more appropriate firewall into a file in the next few hours and giving it a shot. I will load it from the shell this time and then iptables-save. Then I will debug it, if I have to. I will post back later tonight (my time and the evening pans out like it should) with what happens.

Throwing the file in alone didn't work, and I really would like to know if anyone else has had success by doing this. And, I simply mean just dropping in a file without running any other commands other than restarting iptables. If others can do that, I would like to know why I cannot do it. Of course, taking 10 days to figure it out or more probably learning all the prerequisite knowledge is something I cannot do right now, so it will have to be something I come to understand further down the road in all likelihood.

Thanks for your help.

-joseph

Man, that was crazy. If my friend hadn't told me he just dropped the iptables file in and it worked, then it would have never taken me that long. But, I learned a lot in the process and I am please with that.

To configure new chains/config, you make your own file: eg. test_firewall

#>vi test_firewall

Add your iptables commands and options you want: Easier than it might seem at first, like most stuff, eh. :)

Example:
# Policy setup to drop all incoming by defaut
iptables -P INPUT DROP

# Accept www requests
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

:wq

#>service iptables stop

#>iptables -F
(flush/clear current iptable chains - you can put it in your test_firewall file as well, as that is what I have done.)

#>sh test_firewall

take a peak:
#>iptables -L

#>iptables-save > /etc/sysconfig/iptables

#>service iptables restart

And, you are done!

That is way too easy now that I know what to do. Drop the file in and go....that didn't work! I have no idea how that worked for my friend.

Anyway, thanks for the feedback, and the due diligence paid off. I am very pleased with my understanding now. :O)

-joseph


:p
Ps. IMPORTANT NOTE: The above is only an example and there is a lot more than needs to be done to get your system safe and secure in regard to configuring iptables. I say this because I don't assume someone reading this will know that. :) Hope this helps someone down the road. Everyone starts somewhere, so don't get discouraged.