Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I get the following error when running arno's firewall script using a 2.6.20 kernel:
Code:
00:08:25 root@gbnet:/usr/src/linux-2.6.20# /etc/rc.d/rc.firewall start
Arno's Iptables Firewall Script v1.8.8h
-------------------------------------------------------------------------------
Sanity checks passed...OK
Checking/probing Iptables modules:
NOTE: Module "ip_conntrack" not found. Assuming it is compiled in the kernel
NOTE: Module "iptable_nat" not found. Assuming it is compiled in the kernel
Module check done...
Setting the kernel ring buffer to only log panic messages to the console
Configuring /proc/.... settings:
Enabling anti-spoof with rp_filter
Enabling SYN-flood protection via SYN-cookies
Disabling the logging of martians
Disabling the acception of ICMP-redirect messages
WARNING: /proc/../ip_conntrack_max was NOT found. This may be a problem!
Enabling protection against source routed packets
Setting default conntrack timeouts
/etc/rc.d/rc.firewall: line 605: /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout: No such file or directory
/etc/rc.d/rc.firewall: line 606: /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream: No such file or directory
Enabling reduction of the DoS'ing ability
Setting Default TTL=64
Disabling ECN (Explicit Congestion Notification)
Flushing route table
/proc/ setup done...
Flushing rules in the filter table
Setting default (secure) policies
Using loglevel "debug" for syslogd
Setting up firewall rules:
-------------------------------------------------------------------------------
Accepting packets from the local loopback device
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
iptables: Unknown error 4294967295
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Setting up anti-spoof rules
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
/etc/arno-iptables-firewall/custom-rules: line 3: [: too many arguments
Setting up INPUT policy for the external net (INET):
Logging of explicitly blocked hosts enabled
Logging of denied local output connections enabled
Packets will NOT be checked for private source addresses
Denying the whole world to send ICMP-requests(ping)
Logging of dropped ICMP-request(ping) packets enabled
Logging of dropped other ICMP packets enabled
Logging of possible stealth scans enabled
Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts enabled
Logging of ICMP flooding enabled
Setting up OUTPUT policy for the external net (INET):
Allowing all (other) ports/protocols
Applying INET policy to external interface: eth0 (without an external subnet specified)
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
Security is ENFORCED for external interface(s) in the FORWARD chain
Feb 08 0:08:31 All firewall rules applied.
It seems it can't find the ip_conntrack and iptable_nat kernel modules.
Is there something I need to enable to get these two kernel modules?
Here is the networking part of my 2.6.20 .config file:
Code:
#
# Networking
#
CONFIG_NET=y
#
# Networking options
#
# CONFIG_NETDEBUG is not set
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_UNIX=y
CONFIG_XFRM=y
CONFIG_XFRM_USER=y
# CONFIG_XFRM_SUB_POLICY is not set
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
# CONFIG_ARPD is not set
CONFIG_SYN_COOKIES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_XFRM_MODE_BEET=y
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
# CONFIG_TCP_CONG_ADVANCED is not set
CONFIG_TCP_CONG_CUBIC=y
CONFIG_DEFAULT_TCP_CONG="cubic"
# CONFIG_TCP_MD5SIG is not set
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Rep:
Quote:
Originally Posted by gbowden
It seems because I enabled this option:
< > Netfilter connection tracking support
It no longer created the ip_conntrack module and created a nf_conntrack module instead.
I'm recompiling the kernel to see if that fixes the problem.
Update:
I've just restared with my new kernel and everything is working fine. I accidently added some experimental kernel modules.
I've also finally got dazuko to compile for on-access anti virus scanning.
Regards,
Gregory Bowden
I also run Slack 11 and have just recompiled the kernel but am getting iptable errors now that I didn't get with 2.6.19.2. Would you post your entire .config or just indicate which experimental modules got included by mistake?
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Rep:
looked at that post and tried a make oldconfig but never got any prompts about NAT. I get these errors when I do a make menuconfig:
.config:189:warning: trying to assign nonexistent symbol REGPARM
.config:326:warning: trying to assign nonexistent symbol IP_ROUTE_FWMARK
.config:471:warning: trying to assign nonexistent symbol IP_NF_MATCH_HASHLIMIT
.config:1362:warning: trying to assign nonexistent symbol FTAPE
.config:1363:warning: trying to assign nonexistent symbol ZFTAPE
.config:1364:warning: trying to assign nonexistent symbol ZFT_DFLT_BLK_SZ
.config:1369:warning: trying to assign nonexistent symbol ZFT_COMPRESSOR
.config:1370:warning: trying to assign nonexistent symbol FT_NR_BUFFERS
.config:1371:warning: trying to assign nonexistent symbol FT_PROC_FS
.config:1372:warning: trying to assign nonexistent symbol FT_NORMAL_DEBUG
.config:1373:warning: trying to assign nonexistent symbol FT_FULL_DEBUG
.config:1374:warning: trying to assign nonexistent symbol FT_NO_TRACE
.config:1375:warning: trying to assign nonexistent symbol FT_NO_TRACE_AT_ALL
.config:1380:warning: trying to assign nonexistent symbol FT_STD_FDC
.config:1381:warning: trying to assign nonexistent symbol FT_MACH2
.config:1382:warning: trying to assign nonexistent symbol FT_PROBE_FC10
.config:1383:warning: trying to assign nonexistent symbol FT_ALT_FDC
.config:1384:warning: trying to assign nonexistent symbol FT_FDC_THR
.config:1385:warning: trying to assign nonexistent symbol FT_FDC_MAX_RATE
.config:1386:warning: trying to assign nonexistent symbol FT_ALPHA_CLOCK
.config:1842:warning: trying to assign nonexistent symbol USB_HIDINPUT
.config:2264:warning: trying to assign nonexistent symbol UNWIND_INFO
I'm running a server with no X session and soundcard support on a 10 year old Pentium 1-how do I fix these errors in my .config?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
arno firewall and 2.6.20 kernel?
