LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel
User Name
Password
Linux - Kernel This forum is for all discussion relating to the Linux kernel.

Notices


Reply
  Search this Thread
Old 04-21-2007, 04:31 PM   #1
RedEyez
Member
 
Registered: Nov 2006
Location: Wenatchee, Washington
Distribution: ubuntu, Slackware, Sabayon
Posts: 63

Rep: Reputation: 15
enabling iptables support


what options to i need to compile into the kernel to get iptables to work with guarddog on slackware 11?, the kernel im trying to compile is 2.6.20.6 ive tried a couple of times now to get it working but ive had no luck. i have netfilter compiled in with it, am i missing something else?
 
Old 04-22-2007, 01:37 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Maybe your problem isn't the kernel itself? Iptables itself is supposed to compile against the kernel you are using. Are you getting error messages, or what?
 
Old 04-22-2007, 02:00 AM   #3
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
The iptables command is a userland command that configures the rules for the netfilter module in the kernel. There are several netfilter related modules.
Here are some Netfilter related settings in my running kernel:
Code:
zcat /proc/config.gz | grep -in netfilter
420:CONFIG_NETFILTER=y
421:# CONFIG_NETFILTER_DEBUG is not set
422:CONFIG_BRIDGE_NETFILTER=y
425:# Core Netfilter Configuration
427:CONFIG_NETFILTER_NETLINK=m
428:CONFIG_NETFILTER_NETLINK_QUEUE=m
429:CONFIG_NETFILTER_NETLINK_LOG=m
430:CONFIG_NETFILTER_XTABLES=m
431:CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
432:CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
433:CONFIG_NETFILTER_XT_TARGET_MARK=m
434:CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
435:CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
436:CONFIG_NETFILTER_XT_TARGET_SECMARK=m
437:CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
438:CONFIG_NETFILTER_XT_MATCH_COMMENT=m
439:CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
440:CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
441:CONFIG_NETFILTER_XT_MATCH_DCCP=m
442:CONFIG_NETFILTER_XT_MATCH_ESP=m
443:CONFIG_NETFILTER_XT_MATCH_HELPER=m
444:CONFIG_NETFILTER_XT_MATCH_LENGTH=m
445:CONFIG_NETFILTER_XT_MATCH_LIMIT=m
446:CONFIG_NETFILTER_XT_MATCH_MAC=m
447:CONFIG_NETFILTER_XT_MATCH_MARK=m
448:CONFIG_NETFILTER_XT_MATCH_POLICY=m
449:CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
450:CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
451:CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
452:CONFIG_NETFILTER_XT_MATCH_QUOTA=m
453:CONFIG_NETFILTER_XT_MATCH_REALM=m
454:CONFIG_NETFILTER_XT_MATCH_SCTP=m
455:CONFIG_NETFILTER_XT_MATCH_STATE=m
456:CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
457:CONFIG_NETFILTER_XT_MATCH_STRING=m
458:CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
461:# IP: Netfilter Configuration
521:# IPv6: Netfilter Configuration (EXPERIMENTAL)
541:# DECnet: Netfilter Configuration
546:# Bridge: Netfilter Configuration
 
Old 04-22-2007, 02:25 PM   #4
RedEyez
Member
 
Registered: Nov 2006
Location: Wenatchee, Washington
Distribution: ubuntu, Slackware, Sabayon
Posts: 63

Original Poster
Rep: Reputation: 15
yes i do get an error when i try to apply settings in guarddog:
Quote:
FATAL: Module ip_tables not found.
iptables v1.3.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Finished.
 
Old 04-23-2007, 12:43 AM   #5
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
See if the ip_tables module is actually loaded with

lsmod | grep ip_tables

If not, try to load it manually with (running as root)

modprobe ip_tables

If you can't load it, then you didn't compile it into your kernel. (See jschiwal's post).

If it is loaded and you still get the error, then you probably need to recompile iptables:

http://www.cae.wisc.edu/site/public/?title=lincompile

I think the info linked above will work, but you might want to do some more checking on your own. (I have compiled iptables but I no longer remember the details.) In particular, make sure you are happy with where the binary will be installed. And realize this must be compiled referencing the kernel it is to be used with. Again, I have forgotten the details.
 
Old 04-23-2007, 10:31 AM   #6
RedEyez
Member
 
Registered: Nov 2006
Location: Wenatchee, Washington
Distribution: ubuntu, Slackware, Sabayon
Posts: 63

Original Poster
Rep: Reputation: 15
ok im stiil getting the same error even after compiling iptables 1.3.7, iptables is compiled into my kernel as well, lsmod | grep ip_tables ouputs:
Code:
ip_tables  9688 0
X_tables   11140 1 ip_tables
 
Old 04-24-2007, 12:16 AM   #7
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I dunno. It sounds to me like it should work. There's one more thing I can think of before I am out of ideas:

When you compiled iptables, did the resulting binary replace the original binary, or was it put someplace else? (When I compiled iptables, the resulting binary ended up in /usr/local/sbin. The original binary remained in /sbin.) If you now have two copies of iptables, make sure guarddog is using the one you just compiled.

Beyond that, all I can do is wish you good luck.

EDIT: If you have two copies, you can see which once guaarddog is using by checking the access times on the two binaries.

Last edited by blackhole54; 04-24-2007 at 12:18 AM.
 
Old 04-26-2007, 09:13 AM   #8
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware64, LFS
Posts: 312

Rep: Reputation: 53
Yes, I've seen this before.

Quote:
FATAL: Module ip_tables not found.
iptables v1.3.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
I think it may be a sort of a bug that happens when you make certain parts of the netfilter/iptables system compiled in and some others modules. I had it once and it drove me nuts on one machine; think I let something be a module instead of compiling it in (or vise-versa).

A few things to consider:
  • For recent kernels, like 2.6.20.6 or .7 you should use the snapshot iptables. The old stuff that comes with most distros won't cut it, especially if it shipped with an older kernel. I use snapshots all the time with no problems.
  • Config the kernel and compile it. The iptables user-land tool should be built against that kernel source afterwards.
  • When you install a new iptables/netfilter system, whack the old one and install into /usr as a base. That puts the .so files in /usr/lib/iptables. Set your makefile command correctly.
  • Maybe Guard Dog is being a naughty puppy? Check by hand iptables works first, then use it with firewall apps if you want.

2.6.20.7 was out last I checked. I used these sources off ftp.kernel.org and ftp.netfilter.org. Note that the iptables I'm using with kernels new like ours is much more recent than 1.3.5, which was probably a production version anyway.

Code:
ipset-20070414.tar.bz2                   linux-2.6.20.7.tar.bz2
patch-o-matic-ng-20070414.tar.bz2
iptables-1.3.7-20070414.tar.bz2          netfilter-2.6.20-ip_output.patch.gz
IPV4OPTSSTRIP-2.6-skb-writable.patch.gz
You can obviously skip ipset and patch-o-matic-ng if you don't use them. Same with the patches.

Becareful of some of the recent snapshots files on ftp.netfilter.org. There auto-tarballer seems to be spitting out broken tarballs that are only 40-something bytes in length.

Code:
egrep -n 'PTABLE|NETFILT' /boot/config

320:CONFIG_NETFILTER=y
321:# CONFIG_NETFILTER_DEBUG is not set
322:CONFIG_BRIDGE_NETFILTER=y
327:CONFIG_NETFILTER_NETLINK=m
328:CONFIG_NETFILTER_NETLINK_QUEUE=m
329:CONFIG_NETFILTER_NETLINK_LOG=m
348:CONFIG_NETFILTER_XTABLES=y
349:CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
350:CONFIG_NETFILTER_XT_TARGET_DSCP=m
351:CONFIG_NETFILTER_XT_TARGET_MARK=m
352:CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
353:CONFIG_NETFILTER_XT_TARGET_NFLOG=m
354:CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
355:CONFIG_NETFILTER_XT_MATCH_COMMENT=m
356:CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
357:CONFIG_NETFILTER_XT_MATCH_DCCP=m
358:CONFIG_NETFILTER_XT_MATCH_DSCP=m
359:CONFIG_NETFILTER_XT_MATCH_ESP=m
360:CONFIG_NETFILTER_XT_MATCH_HELPER=m
361:CONFIG_NETFILTER_XT_MATCH_LENGTH=m
362:CONFIG_NETFILTER_XT_MATCH_LIMIT=m
363:CONFIG_NETFILTER_XT_MATCH_MAC=m
364:CONFIG_NETFILTER_XT_MATCH_MARK=m
365:CONFIG_NETFILTER_XT_MATCH_POLICY=m
366:CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
367:CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
368:CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
369:CONFIG_NETFILTER_XT_MATCH_QUOTA=m
370:CONFIG_NETFILTER_XT_MATCH_REALM=m
371:CONFIG_NETFILTER_XT_MATCH_SCTP=m
372:CONFIG_NETFILTER_XT_MATCH_STATE=m
373:CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
374:CONFIG_NETFILTER_XT_MATCH_STRING=m
375:CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
376:CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
384:CONFIG_IP_NF_IPTABLES=y
418:CONFIG_IP_NF_ARPTABLES=m
There's actually no module called ip_tables in my setup. I compile in the main pieces, leaving the add-ons like the matches and separate tables as modules.

Code:
# modprobe -l | grep ip_table
The module for the 'filter' tables I think is iptable_filter.ko.gz...

Code:
modprobe -l | grep iptable

/lib/modules/2.6.20.7/kernel/net/ipv4/netfilter/iptable_raw.ko.gz
/lib/modules/2.6.20.7/kernel/net/ipv4/netfilter/iptable_nat.ko.gz
/lib/modules/2.6.20.7/kernel/net/ipv4/netfilter/iptable_mangle.ko.gz
/lib/modules/2.6.20.7/kernel/net/ipv4/netfilter/iptable_filter.ko.gz

# ls /lib/modules/2.6.20.7/kernel/net/ipv4/netfilter/

arptable_filter.ko.gz    ip_set_nethash.ko.gz  ipt_ipv4options.ko.gz
ipt_SAME.ko.gz    ipt_ULOG.ko.gz
arp_tables.ko.gz         ip_set_portmap.ko.gz  ipt_IPV4OPTSSTRIP.ko.gz
ipt_set.ko.gz     nf_conntrack_ipv4.ko.gz
arpt_mangle.ko.gz        iptable_filter.ko.gz  ipt_LOG.ko.gz
ipt_SET.ko.gz     nf_nat_ftp.ko.gz
ip_queue.ko.gz           iptable_mangle.ko.gz  ipt_MASQUERADE.ko.gz
ipt_TARPIT.ko.gz  nf_nat_irc.ko.gz
ip_set_iphash.ko.gz      iptable_nat.ko.gz     ipt_NETMAP.ko.gz
ipt_TCPMSS.ko.gz  nf_nat.ko.gz
ip_set_ipmap.ko.gz       iptable_raw.ko.gz     ipt_owner.ko.gz
ipt_tos.ko.gz     nf_nat_pptp.ko.gz
ip_set_ipporthash.ko.gz  ipt_addrtype.ko.gz    ipt_recent.ko.gz
ipt_TOS.ko.gz     nf_nat_proto_gre.ko.gz
ip_set_iptree.ko.gz      ipt_ecn.ko.gz         ipt_REDIRECT.ko.gz
ipt_ttl.ko.gz     nf_nat_snmp_basic.ko.gz
ip_set.ko.gz             ipt_ECN.ko.gz         ipt_REJECT.ko.gz
ipt_TTL.ko.gz     nf_nat_tftp.ko.gz
ip_set_macipmap.ko.gz    ipt_iprange.ko.gz     ipt_ROUTE.ko.gz
ipt_u32.ko.gz
After you think you have it fixed, see if something like this works before using Guarddog:

Code:
iptables -A INPUT -p tcp --dport 80 -j LOG --log-level 7 --log-prefix "IPT Test: "

iptables -L INPUT -n -v --line-numbers
The patches if you need them, it depends.

Code:
--- net/ipv4/ip_output.c.orig	2007-02-09 23:24:57.000000000 -0500
+++ net/ipv4/ip_output.c	2007-02-09 23:25:07.000000000 -0500
@@ -1396,0 +1397 @@ void __init ip_init(void)
+EXPORT_SYMBOL(sysctl_ip_default_ttl);


--- net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c.old	2006-01-23 03:29:26.000000000 -0500
+++ net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c	2006-01-23 03:30:11.000000000 -0500
@@ -30,7 +30,7 @@
 	unsigned char *optiph;
 	int l;
 	
-	if (!skb_ip_make_writable(pskb, (*pskb)->len))
+	if (!skb_make_writable(pskb, (*pskb)->len))
 		return NF_DROP;
  
 	skb = (*pskb);

Last edited by jayjwa; 04-26-2007 at 09:20 AM.
 
Old 04-27-2007, 05:32 PM   #9
RedEyez
Member
 
Registered: Nov 2006
Location: Wenatchee, Washington
Distribution: ubuntu, Slackware, Sabayon
Posts: 63

Original Poster
Rep: Reputation: 15
thanks for the help guys i now have it working, jayjwa you were right about some things have to be compiled in while others are made as modules, i also left a couple of things out of the compile the first few times, and im also using iptables 1.3.7 from packages.slackware.it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
enabling oprofiler support in a 2.6.16.29 kernel oddiofile Linux - Kernel 1 04-19-2007 07:55 PM
scsi tape support not enabling retox Red Hat 2 01-27-2007 08:36 AM
Enabling libipt_quota when compiling iptables jayakrishnan Linux - Software 1 08-25-2006 04:48 AM
Enabling GD Support for PHP4 apt Linux - Software 7 12-15-2005 05:12 AM
enabling ports on iptables deley71 Red Hat 1 07-14-2004 02:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel

All times are GMT -5. The time now is 07:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration