Linux - KernelThis forum is for all discussion relating to the Linux kernel.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I compiled a 2.6.16.19 kernel on a Debian Sarge laptop. I'm having some problems with getting any firewall to work. I'm just trying to get a typical client firewall as required by work on all machines on the network.
I've tried fwbuilder and guarddog. When I try to install the rules I setup, I get an error "iptables: No chain/target/match by that name". I assume that I missed something in my kernel compile since it works on the stock 2.6.8-3-686 kernel. I would just use the stock kernel, except that ACPI doesn't seem to work on that kernel with this laptop. Here's the output of lsmod:
Under some circumstances the "iptables" command can be out of sync with the kernel and cause problems. I was getting similar error messages once, and downloading the source for iptables and compiling it solved the problem. When you do this, you point the build script to the actual kernel source/configuration you are using.
Good luck.
Last edited by blackhole54; 06-16-2006 at 01:08 AM.
iptables is compiled for a specific kernel. If it happens to work correctly between kernel upgrades, this is pure luck. When compiling the kernel, make sure to enable the netfilter stuff you want. Then, when compiling iptables, make sure to give it the build directory of the kernel for which it is supposed to run.
Do I just download the iptables source from the Sarge repository or do I need to download a tar.gz from another source? And does it matter which version I use with this particular kernel (the sarge version appears to be 1.2.11)?
Thanks, guys. Everything compiled fine and if I run /usr/local/sbin/iptables -V, then I get version 1.3.5 listed.
Okay, new question directly related. So how do I make guarddog use those iptables instead of the ones in /sbin? The new iptables are in /usr/local/sbin, which is in root's path (I have to enter the root password to use guarddog, so I assume it's running as root). But I keep getting the same errors which imply to me that the program is using the wrong iptables...
Maybe I'll just reinstall fwbuilder, I feel like I remember it having a place to put in the path to the iptables you wanted to use.
Oh, another question, should I point the program to use "iptables" or "ip6tables" if there's only one configurable?
So how do I make guarddog use those iptables instead of the ones in /sbin? The new iptables are in /usr/local/sbin, which is in root's path (I have to enter the root password to use guarddog, so I assume it's running as root). But I keep getting the same errors which imply to me that the program is using the wrong iptables...
Which version gets used depends on what guarddog does. If it generates a bash script you can look at the script and see whether it specifies a path to iptables. I.e. do the lines start with "iptables ..." or dothey start with /sbin/iptables ..." In the first case, if /usr/local/sbin is in $PATH before /sbin, then your new copy will be used. If it specifies the path, you either need to convince it to specify the right path, hand edit the script, or (using your package manager) remove the /sbin/iptables and replace it with a symlink pointing to the new one. (that last option is really ugly!)
If you have have verified that it is using the new version and you are still getting errors, your first thought about not having the right module compiled might be correct. If you have both kernels handy (you did keep the old one, didn't you? ) and can easily get each to use the proper copy of iptables, you might , in each case, save the output of lsmod to a file and compare them to see the difference. (The cut, sort and diff utitlities can help you compare them.)
Alternatively, you could try to see which iptable command(s) is generating the error(s). If the output of guarddog or fwbuilder is a bash script, you can manully add "set -x" to the beginning of the script, which will list each command as it executes so you can see what command(s) is generating the error(s).
.
Quote:
Originally Posted by pljvaldez
Oh, another question, should I point the program to use "iptables" or "ip6tables" if there's only one configurable?
ip6tables is for IPv6. I have no experience with v6, but unless you feel confident your are using v6, you are probably using IPv4, and iptables will work fine.
Thanks. I actually ended up solving this problem a little differently. I went back and just compiled in all the iptables stuff instead of loading modules. Now it all seems to work with whatever firewall I use.
In the end I decided on using firestarter, which is kinda nice to work with because you can modify it easily on the fly and see what types of events are being hit on.
I still like fwbuilder for constructing my own, but the examples folder of the fwbuilder-doc is missing the init.d scripts and I'm not sure I would know how to write my own.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.