LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Kernel (https://www.linuxquestions.org/questions/linux-kernel-70/)
-   -   iptables kernel 2.6.16.19 (https://www.linuxquestions.org/questions/linux-kernel-70/iptables-kernel-2-6-16-19-a-455239/)

pljvaldez 06-15-2006 09:35 PM
iptables kernel 2.6.16.19
 
I compiled a 2.6.16.19 kernel on a Debian Sarge laptop. I'm having some problems with getting any firewall to work. I'm just trying to get a typical client firewall as required by work on all machines on the network.

I've tried fwbuilder and guarddog. When I try to install the rules I setup, I get an error "iptables: No chain/target/match by that name". I assume that I missed something in my kernel compile since it works on the stock 2.6.8-3-686 kernel. I would just use the stock kernel, except that ACPI doesn't seem to work on that kernel with this laptop. Here's the output of lsmod:
Code:
Module                  Size  Used by
xt_tcpudp              3584  28
ipt_REJECT              4608  4
xt_limit                2304  6
ipt_LOG                6400  6
ip_conntrack_ftp        6384  0
ip_conntrack          41868  1 ip_conntrack_ftp
iptable_filter          2560  1
ip_tables              10840  1 iptable_filter
x_tables                9732  5 xt_tcpudp,ipt_REJECT,xt_limit,ipt_LOG,ip_tables
snd_mixer_oss          16768  0
radeon                107936  1
drm                    64148  2 radeon
ipv6                  234496  12
parport_pc            25028  1
lp                      9156  0
parport                32328  2 parport_pc,lp
snd_intel8x0          28956  0
snd_ac97_codec        91296  1 snd_intel8x0
snd_ac97_bus            2048  1 snd_ac97_codec
snd_pcm                76808  2 snd_intel8x0,snd_ac97_codec
snd_timer              20100  1 snd_pcm
snd                    44388  5 snd_mixer_oss,snd_intel8x0,snd_ac97_codec,snd_pcm,snd_timer
snd_page_alloc          8840  2 snd_intel8x0,snd_pcm
i2c_i801                8076  0
i2c_core              17296  1 i2c_i801
generic                4484  0 [permanent]
intel_agp              20252  1
uhci_hcd              29840  0
usbcore              114948  2 uhci_hcd
i810_audio            32660  1
ac97_codec            18060  1 i810_audio
soundcore              7392  3 snd,i810_audio
e100                  32132  0
mii                    4992  1 e100
ohci1394              31280  0
yenta_socket          24076  0
rsrc_nonstatic        11776  1 yenta_socket
agpgart                28848  2 drm,intel_agp
joydev                  8384  0
nls_iso8859_1          4096  1
nls_cp437              5760  1
vfat                  10496  1
fat                    47388  1 vfat
sr_mod                14244  0
sbp2                  20868  0
scsi_mod              126824  2 sr_mod,sbp2
ieee1394              87864  2 ohci1394,sbp2
psmouse                38024  0
ide_generic            1408  0 [permanent]
ide_cd                38532  0
cdrom                  37792  2 sr_mod,ide_cd
genrtc                  8064  0
Are there any modules pertinent to firewalling that you can see missing???

blackhole54 06-16-2006 12:27 AM
Under some circumstances the "iptables" command can be out of sync with the kernel and cause problems. I was getting similar error messages once, and downloading the source for iptables and compiling it solved the problem. When you do this, you point the build script to the actual kernel source/configuration you are using.


Good luck.

osor 06-16-2006 02:14 PM
iptables is compiled for a specific kernel. If it happens to work correctly between kernel upgrades, this is pure luck. When compiling the kernel, make sure to enable the netfilter stuff you want. Then, when compiling iptables, make sure to give it the build directory of the kernel for which it is supposed to run.

pljvaldez 06-16-2006 03:12 PM
Do I just download the iptables source from the Sarge repository or do I need to download a tar.gz from another source? And does it matter which version I use with this particular kernel (the sarge version appears to be 1.2.11)?

osor 06-16-2006 03:53 PM
If you compiled a very recent vanilla kernel, I suggest you get the most recent iptables source (1.3.5) either from the netfilter site or from debian.

pljvaldez 06-16-2006 04:29 PM
Thanks, guys. Everything compiled fine and if I run /usr/local/sbin/iptables -V, then I get version 1.3.5 listed.

Okay, new question directly related. So how do I make guarddog use those iptables instead of the ones in /sbin? The new iptables are in /usr/local/sbin, which is in root's path (I have to enter the root password to use guarddog, so I assume it's running as root). But I keep getting the same errors which imply to me that the program is using the wrong iptables...

Maybe I'll just reinstall fwbuilder, I feel like I remember it having a place to put in the path to the iptables you wanted to use.

Oh, another question, should I point the program to use "iptables" or "ip6tables" if there's only one configurable?

blackhole54 06-17-2006 06:36 AM
Quote:
Originally Posted by pljvaldez
So how do I make guarddog use those iptables instead of the ones in /sbin? The new iptables are in /usr/local/sbin, which is in root's path (I have to enter the root password to use guarddog, so I assume it's running as root). But I keep getting the same errors which imply to me that the program is using the wrong iptables...
Which version gets used depends on what guarddog does. If it generates a bash script you can look at the script and see whether it specifies a path to iptables. I.e. do the lines start with "iptables ..." or dothey start with /sbin/iptables ..." In the first case, if /usr/local/sbin is in $PATH before /sbin, then your new copy will be used. If it specifies the path, you either need to convince it to specify the right path, hand edit the script, or (using your package manager) remove the /sbin/iptables and replace it with a symlink pointing to the new one. (that last option is really ugly!)

If you have have verified that it is using the new version and you are still getting errors, your first thought about not having the right module compiled might be correct. If you have both kernels handy (you did keep the old one, didn't you? :) ) and can easily get each to use the proper copy of iptables, you might , in each case, save the output of lsmod to a file and compare them to see the difference. (The cut, sort and diff utitlities can help you compare them.)

Alternatively, you could try to see which iptable command(s) is generating the error(s). If the output of guarddog or fwbuilder is a bash script, you can manully add "set -x" to the beginning of the script, which will list each command as it executes so you can see what command(s) is generating the error(s).


.
Quote:
Originally Posted by pljvaldez
Oh, another question, should I point the program to use "iptables" or "ip6tables" if there's only one configurable?
ip6tables is for IPv6. I have no experience with v6, but unless you feel confident your are using v6, you are probably using IPv4, and iptables will work fine.

pljvaldez 06-17-2006 01:12 PM
Thanks. I actually ended up solving this problem a little differently. I went back and just compiled in all the iptables stuff instead of loading modules. Now it all seems to work with whatever firewall I use.

In the end I decided on using firestarter, which is kinda nice to work with because you can modify it easily on the fly and see what types of events are being hit on.

I still like fwbuilder for constructing my own, but the examples folder of the fwbuilder-doc is missing the init.d scripts and I'm not sure I would know how to write my own.

Thanks for everyone's help!


All times are GMT -5. The time now is 05:06 AM.