I've been searching for a solution to be able to tewak iptables that I installed on the NAS DS-106j from Synology www.synology.com. It is (as far as I know) running on BusyBox linux. This NAS has openSSH pre-installed and I just want to install iptables or pam abl to protect against SSH brute force. I did the same thing with Ubuntu openSSH and there was no problem installing them. But this time, I am using ipkg to install iptables and when I try to set the firewall to my needs, it gave out errors. Please see the following.

SynoBox> ipkg install iptables
Installing iptables (1.2.11-2) to /opt/...
Downloading http://ipkg.nslu2-linux.org/feeds/optwa ... owerpc.ipk
Configuring iptables
Successfully terminated.

Then I run the following just to see if there is an update already available for iptables
SynoBox> ipkg install update

When I try to configure iptables on the box with the same script I used for my openssh running on Ubuntu, it spits out the error message.

-------------------------------------------------------------------------
SynoBox> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables v1.2.11: Couldn't load match `recent':/opt/lib/iptables/libipt_recent.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
-------------------------------------------------------------------------

So I tried again with a small step just to create a new rule.

SynoBox>iptables -N recent_rule
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I tried the following to see if there is any rule already exists and it gave out the same error message as before:
---------------------------------------------------------------------
SynoBox>iptables -L
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
---------------------------------------------------------------------
Any idea how to proceed?

Thanks.

just some commands - you will get the meaning:
ipkg update (update the database of available packages)
ipkg list (what is available)
ipkg status (what is installed)
ls -al /lib/modules/`uname -r`/ | grep recent
lsmod | grep recent (is this module loaded?)
insmod ipt_recent (load it)
or
modprobe ipt_recent
should you have "modprobe" available

I got the following very long list (I had to cut list by 3/4 to post it on this forum) when I run ipkg list:

GhostDrive> ipkg list
ipac-ng - 1.31-3 - iptables/ipchains based IP accounting package for Linux.
ipcalc - 0.41-1 - Calculator for IPv4 addresses.
iperf - 2.0.4-1 - A tool for measuring TCP and UDP bandwidth performance.
ipkg-opt - 0.99.163-10 - The Itsy Package Manager
ipkg-web - 7-7 - A web frontend for ipkg
iptables - 1.2.11-2 - Userland utilities for controlling firewalling rules
iptraf - 3.0.0-1 - IPTraf is a console-based network statistics utility for Linux.
iputils-arping - 20070202-1 - The arping command acts like the standard ping command except it pings a machine by its ARP address instead of its IP address.
ipython-common - 0.8.4-1 - An enhanced interactive Python shell
ircd-hybrid - 7.2.2-1 - IRCD Hybrid
irssi - 0.8.12-3 - A terminal based IRC client for UNIX systems.
ivorbis-tools - 1.0-6 - Tools to allow you to play, encode, and manage Ogg Vorbis files. This version is hacked to use the Tremor integer decoder.
jabberd - 1.6.1.1-1 - Jabber is an open-source IM platform designed to be open, fast, and easy to use and extend.
jamvm - 1.5.1-1 - VM spec version 2 conformant. Extremely small with stripped executable
jed - 0.99.18-1 - A powerful yet friendly text editor.
jikes - 1.22-1 - IBM java compiler
joe - 3.5-1 - Joe's own editor. A text editor with wordstar-like and emacs-like keybindings.
jove - 4.16.0.70-2 - A tiny, fast editor with emacs keybindings
kernel-module-audio - 2.4.22-6 - DS-101G+ kernel module audio
kernel-module-cdrom - 2.4.22-6 - DS-101G+ kernel module cdrom
kernel-module-dss1-divert - 2.4.22-6 - DS-101G+ kernel module dss1_divert
kernel-module-ethertap - 2.4.22-6 - DS-101G+ kernel module ethertap
kernel-module-fuse - 2.5.3-3 - With FUSE it is possible to implement a fully functional filesystem in a userspace program
kernel-module-hfc-usb - 2.4.22-6 - DS-101G+ kernel module hfc_usb
kernel-module-hisax - 2.4.22-6 - DS-101G+ kernel module hisax
kernel-module-isdn - 2.4.22-6 - DS-101G+ kernel module isdn
kernel-module-isdn-bsdcomp - 2.4.22-6 - DS-101G+ kernel module isdn_bsdcomp
kernel-module-isofs - 2.4.22-6 - DS-101G+ kernel module isofs
kernel-module-loop - 2.4.22-6 - DS-101G+ kernel module loop
kernel-module-nfsd - 2.4.22-6 - DS-101G+ kernel module nfsd
kernel-module-pwc - 2.4.22-6 - DS-101G+ kernel module pwc
kernel-module-rtl8150 - 2.4.22-6 - DS-101G+ kernel module rtl8150
kernel-module-slhc - 2.4.22-6 - DS-101G+ kernel module slhc
kernel-module-soundcore - 2.4.22-6 - DS-101G+ kernel module soundcore
kernel-module-sr-mod - 2.4.22-6 - DS-101G+ kernel module sr_mod
kernel-module-tun - 2.4.22-6 - DS-101G+ kernel module tun
kernel-module-videodev - 2.4.22-6 - DS-101G+ kernel module videodev
keychain - 2.6.8-1 - Key manager for OpenSSH.
kismet - 2007-01-R1b-2 - An 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
kissdx - 0.13-10a-2 - kissdx is a PC-Link clone for KiSS media players with added features for DVD, video and picture playback.
knock - 0.5-2 - knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special knock sequences
lame - 3.97-1 - LAME is an LGPL MP3 encoder.


I got the following when I run ipkg status:
Package: iptables
Version: 1.2.11-2
Status: install user installed
Architecture: powerpc
Installed-Time: 1215903227

Package: openssl
Version: 0.9.7m-4
Status: install user installed
Architecture: powerpc

Package: wget-ssl
Version: 1.11.4-1
Depends: openssl
Conflicts: wget
Status: install user installed
Architecture: powerpc

Successfully terminated.

I did not get anything when I run lsmod |grep recent.

But I got this when I enter lsmod grep recent:
Module Size Used by Tainted: P
hid 18308 0
printer 8048 0
usb-storage 29828 1
usb-ohci 20020 0 (unused)
ehci-hcd 19716 0 (unused)
synobios 8176 4
sk98lin 148944 1
snd-pcm-oss 45532 0 (unused)
snd-mixer-oss 15256 0 [snd-pcm-oss]
snd-usb-audio 51048 0 (unused)
snd-pcm 63700 0 [snd-pcm-oss snd-usb-audio]
snd-timer 17480 0 [snd-pcm]
snd-hwdep 5768 0 [snd-usb-audio]
snd-usb-lib 11092 0 [snd-usb-audio]
snd-rawmidi 16308 0 [snd-usb-lib]
snd-seq-device 4664 0 [snd-rawmidi]
snd 38488 0 [snd-pcm-oss snd-mixer-oss snd-usb-audio snd-pcm snd-timer snd-hwdep snd-usb-lib snd-rawmidi snd-seq-device]
snd-page-alloc 5488 0 [snd-mixer-oss snd-usb-audio snd-pcm snd-timer snd-hwdep snd-rawmidi snd-seq-device snd]
soundcore 3952 0 [snd]
nfsd 71248 0 (unused)
ppp_async 8204 0 (unused)
ppp_generic 20316 0 [ppp_async]
slhc 4224 0 [ppp_generic]
quota_v2 8160 2
usbcore 69520 1 [hid printer usb-storage usb-ohci ehci-hcd snd-usb-audio snd-usb-lib]
sg 33804 0 (unused)
sd_mod 16212 2 [printer usb-storage]
scsi_mod 90016 3 [usb-storage sg sd_mod]
ntfs 94080 0 (unused)
vfat 11308 0 (unused)
reiserfs 243776 0 (unused)
netlink_dev 2016 0 (unused)
fat 40176 0 [vfat]
appletalk 23440 12

I got error message when I enter ls -al /lib/modules/'uname -r' / | grep recent:

ls: /lib/modules/uname -r: No such file or directory

I got this when I run insmod ipt_recent:
insmod: /lib/modules/2.4.22-uc0: No such file or directory
insmod: ipt_recent.o: no module by that name found

I got this when I run modprobe ipt_recent:
modprobe: could not parse modules.dep

I have no idea what's going on.

You want to use an iptables rule which makes use of the "recent" match.
This is not part of your installation - not yet.

The commands I posted where to:
- show what software is available to you,
- show what software is already installed,
- show what modules are available to you,
- show what modules are already loaded,
- try to load the module - had it been available to you

There is a difference between:
the latter is what I wrote - and which will work.

It lists the contents of the directory named after your kernel-version, where all modules are stored - and filters the list for the module you want.
will also do.
Or look at:
ls -al /lib/modules/2.4.22-uc0/
for all installed modules.

You will need to install some software to to get support for the "recent" match.
I don't know exactly which and if it is even called the same name for you.
I can only tell you what I have installed here ("recent" match is working):

The last one is most definitely not available to you - the second one (tc) is one you will not need.
In one of the others is the module and library you need to use the "recent" match.

I'm talking an example here - the example is OpenWRT on a MIPS based system - and the software available to it.

Again: I don't know your system or what software is available for it - you will need to read through the packets descriptions - or go to the manufacturers website and look there for descriptions.