LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Kernel (https://www.linuxquestions.org/questions/linux-kernel-70/)
-   -   enabling iptables support (https://www.linuxquestions.org/questions/linux-kernel-70/enabling-iptables-support-547925/)

RedEyez 04-21-2007 04:31 PM
enabling iptables support
 
what options to i need to compile into the kernel to get iptables to work with guarddog on slackware 11?, the kernel im trying to compile is 2.6.20.6 ive tried a couple of times now to get it working but ive had no luck. i have netfilter compiled in with it, am i missing something else?

blackhole54 04-22-2007 01:37 AM
Maybe your problem isn't the kernel itself? Iptables itself is supposed to compile against the kernel you are using. Are you getting error messages, or what?

jschiwal 04-22-2007 02:00 AM
The iptables command is a userland command that configures the rules for the netfilter module in the kernel. There are several netfilter related modules.
Here are some Netfilter related settings in my running kernel:
Code:
zcat /proc/config.gz | grep -in netfilter
420:CONFIG_NETFILTER=y
421:# CONFIG_NETFILTER_DEBUG is not set
422:CONFIG_BRIDGE_NETFILTER=y
425:# Core Netfilter Configuration
427:CONFIG_NETFILTER_NETLINK=m
428:CONFIG_NETFILTER_NETLINK_QUEUE=m
429:CONFIG_NETFILTER_NETLINK_LOG=m
430:CONFIG_NETFILTER_XTABLES=m
431:CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
432:CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
433:CONFIG_NETFILTER_XT_TARGET_MARK=m
434:CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
435:CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
436:CONFIG_NETFILTER_XT_TARGET_SECMARK=m
437:CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
438:CONFIG_NETFILTER_XT_MATCH_COMMENT=m
439:CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
440:CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
441:CONFIG_NETFILTER_XT_MATCH_DCCP=m
442:CONFIG_NETFILTER_XT_MATCH_ESP=m
443:CONFIG_NETFILTER_XT_MATCH_HELPER=m
444:CONFIG_NETFILTER_XT_MATCH_LENGTH=m
445:CONFIG_NETFILTER_XT_MATCH_LIMIT=m
446:CONFIG_NETFILTER_XT_MATCH_MAC=m
447:CONFIG_NETFILTER_XT_MATCH_MARK=m
448:CONFIG_NETFILTER_XT_MATCH_POLICY=m
449:CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
450:CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
451:CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
452:CONFIG_NETFILTER_XT_MATCH_QUOTA=m
453:CONFIG_NETFILTER_XT_MATCH_REALM=m
454:CONFIG_NETFILTER_XT_MATCH_SCTP=m
455:CONFIG_NETFILTER_XT_MATCH_STATE=m
456:CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
457:CONFIG_NETFILTER_XT_MATCH_STRING=m
458:CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
461:# IP: Netfilter Configuration
521:# IPv6: Netfilter Configuration (EXPERIMENTAL)
541:# DECnet: Netfilter Configuration
546:# Bridge: Netfilter Configuration

RedEyez 04-22-2007 02:25 PM
yes i do get an error when i try to apply settings in guarddog:
Quote:
FATAL: Module ip_tables not found.
iptables v1.3.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Finished.

blackhole54 04-23-2007 12:43 AM
See if the ip_tables module is actually loaded with

lsmod | grep ip_tables

If not, try to load it manually with (running as root)

modprobe ip_tables

If you can't load it, then you didn't compile it into your kernel. (See jschiwal's post).

If it is loaded and you still get the error, then you probably need to recompile iptables:

http://www.cae.wisc.edu/site/public/?title=lincompile

I think the info linked above will work, but you might want to do some more checking on your own. (I have compiled iptables but I no longer remember the details.) In particular, make sure you are happy with where the binary will be installed. And realize this must be compiled referencing the kernel it is to be used with. Again, I have forgotten the details.

RedEyez 04-23-2007 10:31 AM
ok im stiil getting the same error even after compiling iptables 1.3.7, iptables is compiled into my kernel as well, lsmod | grep ip_tables ouputs:
Code:
ip_tables  9688 0
X_tables  11140 1 ip_tables

blackhole54 04-24-2007 12:16 AM
I dunno. It sounds to me like it should work. There's one more thing I can think of before I am out of ideas:

When you compiled iptables, did the resulting binary replace the original binary, or was it put someplace else? (When I compiled iptables, the resulting binary ended up in /usr/local/sbin. The original binary remained in /sbin.) If you now have two copies of iptables, make sure guarddog is using the one you just compiled.

Beyond that, all I can do is wish you good luck.

EDIT: If you have two copies, you can see which once guaarddog is using by checking the access times on the two binaries.

jayjwa 04-26-2007 09:13 AM
Yes, I've seen this before.

Quote:
FATAL: Module ip_tables not found.
iptables v1.3.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
I think it may be a sort of a bug that happens when you make certain parts of the netfilter/iptables system compiled in and some others modules. I had it once and it drove me nuts on one machine; think I let something be a module instead of compiling it in (or vise-versa).

A few things to consider:
  • For recent kernels, like 2.6.20.6 or .7 you should use the snapshot iptables. The old stuff that comes with most distros won't cut it, especially if it shipped with an older kernel. I use snapshots all the time with no problems.
  • Config the kernel and compile it. The iptables user-land tool should be built against that kernel source afterwards.
  • When you install a new iptables/netfilter system, whack the old one and install into /usr as a base. That puts the .so files in /usr/lib/iptables. Set your makefile command correctly.
  • Maybe Guard Dog is being a naughty puppy? Check by hand iptables works first, then use it with firewall apps if you want.

2.6.20.7 was out last I checked. I used these sources off ftp.kernel.org and ftp.netfilter.org. Note that the iptables I'm using with kernels new like ours is much more recent than 1.3.5, which was probably a production version anyway.

Code:
ipset-20070414.tar.bz2                  linux-2.6.20.7.tar.bz2
patch-o-matic-ng-20070414.tar.bz2
iptables-1.3.7-20070414.tar.bz2          netfilter-2.6.20-ip_output.patch.gz
IPV4OPTSSTRIP-2.6-skb-writable.patch.gz
You can obviously skip ipset and patch-o-matic-ng if you don't use them. Same with the patches.

Becareful of some of the recent snapshots files on ftp.netfilter.org. There auto-tarballer seems to be spitting out broken tarballs that are only 40-something bytes in length.

Code:
egrep -n 'PTABLE|NETFILT' /boot/config

320:CONFIG_NETFILTER=y
321:# CONFIG_NETFILTER_DEBUG is not set
322:CONFIG_BRIDGE_NETFILTER=y
327:CONFIG_NETFILTER_NETLINK=m
328:CONFIG_NETFILTER_NETLINK_QUEUE=m
329:CONFIG_NETFILTER_NETLINK_LOG=m
348:CONFIG_NETFILTER_XTABLES=y
349:CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
350:CONFIG_NETFILTER_XT_TARGET_DSCP=m
351:CONFIG_NETFILTER_XT_TARGET_MARK=m
352:CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
353:CONFIG_NETFILTER_XT_TARGET_NFLOG=m
354:CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
355:CONFIG_NETFILTER_XT_MATCH_COMMENT=m
356:CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
357:CONFIG_NETFILTER_XT_MATCH_DCCP=m
358:CONFIG_NETFILTER_XT_MATCH_DSCP=m
359:CONFIG_NETFILTER_XT_MATCH_ESP=m
360:CONFIG_NETFILTER_XT_MATCH_HELPER=m
361:CONFIG_NETFILTER_XT_MATCH_LENGTH=m
362:CONFIG_NETFILTER_XT_MATCH_LIMIT=m
363:CONFIG_NETFILTER_XT_MATCH_MAC=m
364:CONFIG_NETFILTER_XT_MATCH_MARK=m
365:CONFIG_NETFILTER_XT_MATCH_POLICY=m
366:CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
367:CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
368:CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
369:CONFIG_NETFILTER_XT_MATCH_QUOTA=m
370:CONFIG_NETFILTER_XT_MATCH_REALM=m
371:CONFIG_NETFILTER_XT_MATCH_SCTP=m
372:CONFIG_NETFILTER_XT_MATCH_STATE=m
373:CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
374:CONFIG_NETFILTER_XT_MATCH_STRING=m
375:CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
376:CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
384:CONFIG_IP_NF_IPTABLES=y
418:CONFIG_IP_NF_ARPTABLES=m
There's actually no module called ip_tables in my setup. I compile in the main pieces, leaving the add-ons like the matches and separate tables as modules.

Code:

# modprobe -l | grep ip_table
The module for the 'filter' tables I think is iptable_filter.ko.gz...

Code:

modprobe -l | grep iptable

/lib/modules/2.6.20.7/kernel/net/ipv4/netfilter/iptable_raw.ko.gz
/lib/modules/2.6.20.7/kernel/net/ipv4/netfilter/iptable_nat.ko.gz
/lib/modules/2.6.20.7/kernel/net/ipv4/netfilter/iptable_mangle.ko.gz
/lib/modules/2.6.20.7/kernel/net/ipv4/netfilter/iptable_filter.ko.gz

# ls /lib/modules/2.6.20.7/kernel/net/ipv4/netfilter/

arptable_filter.ko.gz    ip_set_nethash.ko.gz  ipt_ipv4options.ko.gz
ipt_SAME.ko.gz    ipt_ULOG.ko.gz
arp_tables.ko.gz        ip_set_portmap.ko.gz  ipt_IPV4OPTSSTRIP.ko.gz
ipt_set.ko.gz    nf_conntrack_ipv4.ko.gz
arpt_mangle.ko.gz        iptable_filter.ko.gz  ipt_LOG.ko.gz
ipt_SET.ko.gz    nf_nat_ftp.ko.gz
ip_queue.ko.gz          iptable_mangle.ko.gz  ipt_MASQUERADE.ko.gz
ipt_TARPIT.ko.gz  nf_nat_irc.ko.gz
ip_set_iphash.ko.gz      iptable_nat.ko.gz    ipt_NETMAP.ko.gz
ipt_TCPMSS.ko.gz  nf_nat.ko.gz
ip_set_ipmap.ko.gz      iptable_raw.ko.gz    ipt_owner.ko.gz
ipt_tos.ko.gz    nf_nat_pptp.ko.gz
ip_set_ipporthash.ko.gz  ipt_addrtype.ko.gz    ipt_recent.ko.gz
ipt_TOS.ko.gz    nf_nat_proto_gre.ko.gz
ip_set_iptree.ko.gz      ipt_ecn.ko.gz        ipt_REDIRECT.ko.gz
ipt_ttl.ko.gz    nf_nat_snmp_basic.ko.gz
ip_set.ko.gz            ipt_ECN.ko.gz        ipt_REJECT.ko.gz
ipt_TTL.ko.gz    nf_nat_tftp.ko.gz
ip_set_macipmap.ko.gz    ipt_iprange.ko.gz    ipt_ROUTE.ko.gz
ipt_u32.ko.gz
After you think you have it fixed, see if something like this works before using Guarddog:

Code:

iptables -A INPUT -p tcp --dport 80 -j LOG --log-level 7 --log-prefix "IPT Test: "

iptables -L INPUT -n -v --line-numbers
The patches if you need them, it depends.

Code:
--- net/ipv4/ip_output.c.orig        2007-02-09 23:24:57.000000000 -0500
+++ net/ipv4/ip_output.c        2007-02-09 23:25:07.000000000 -0500
@@ -1396,0 +1397 @@ void __init ip_init(void)
+EXPORT_SYMBOL(sysctl_ip_default_ttl);


--- net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c.old        2006-01-23 03:29:26.000000000 -0500
+++ net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c        2006-01-23 03:30:11.000000000 -0500
@@ -30,7 +30,7 @@
        unsigned char *optiph;
        int l;
       
-        if (!skb_ip_make_writable(pskb, (*pskb)->len))
+        if (!skb_make_writable(pskb, (*pskb)->len))
                return NF_DROP;
 
        skb = (*pskb);

RedEyez 04-27-2007 05:32 PM
thanks for the help guys i now have it working, jayjwa you were right about some things have to be compiled in while others are made as modules, i also left a couple of things out of the compile the first few times, and im also using iptables 1.3.7 from packages.slackware.it.


All times are GMT -5. The time now is 03:06 PM.