iptables kernel 2.6.16.19

pljvaldez · 06-15-2006, 09:35 PM

I compiled a 2.6.16.19 kernel on a Debian Sarge laptop. I'm having some problems with getting any firewall to work. I'm just trying to get a typical client firewall as required by work on all machines on the network.

I've tried fwbuilder and guarddog. When I try to install the rules I setup, I get an error "iptables: No chain/target/match by that name". I assume that I missed something in my kernel compile since it works on the stock 2.6.8-3-686 kernel. I would just use the stock kernel, except that ACPI doesn't seem to work on that kernel with this laptop. Here's the output of lsmod:

Code:

Module                  Size  Used by
xt_tcpudp               3584  28 
ipt_REJECT              4608  4 
xt_limit                2304  6 
ipt_LOG                 6400  6 
ip_conntrack_ftp        6384  0 
ip_conntrack           41868  1 ip_conntrack_ftp
iptable_filter          2560  1 
ip_tables              10840  1 iptable_filter
x_tables                9732  5 xt_tcpudp,ipt_REJECT,xt_limit,ipt_LOG,ip_tables
snd_mixer_oss          16768  0 
radeon                107936  1 
drm                    64148  2 radeon
ipv6                  234496  12 
parport_pc             25028  1 
lp                      9156  0 
parport                32328  2 parport_pc,lp
snd_intel8x0           28956  0 
snd_ac97_codec         91296  1 snd_intel8x0
snd_ac97_bus            2048  1 snd_ac97_codec
snd_pcm                76808  2 snd_intel8x0,snd_ac97_codec
snd_timer              20100  1 snd_pcm
snd                    44388  5 snd_mixer_oss,snd_intel8x0,snd_ac97_codec,snd_pcm,snd_timer
snd_page_alloc          8840  2 snd_intel8x0,snd_pcm
i2c_i801                8076  0 
i2c_core               17296  1 i2c_i801
generic                 4484  0 [permanent]
intel_agp              20252  1 
uhci_hcd               29840  0 
usbcore               114948  2 uhci_hcd
i810_audio             32660  1 
ac97_codec             18060  1 i810_audio
soundcore               7392  3 snd,i810_audio
e100                   32132  0 
mii                     4992  1 e100
ohci1394               31280  0 
yenta_socket           24076  0 
rsrc_nonstatic         11776  1 yenta_socket
agpgart                28848  2 drm,intel_agp
joydev                  8384  0 
nls_iso8859_1           4096  1 
nls_cp437               5760  1 
vfat                   10496  1 
fat                    47388  1 vfat
sr_mod                 14244  0 
sbp2                   20868  0 
scsi_mod              126824  2 sr_mod,sbp2
ieee1394               87864  2 ohci1394,sbp2
psmouse                38024  0 
ide_generic             1408  0 [permanent]
ide_cd                 38532  0 
cdrom                  37792  2 sr_mod,ide_cd
genrtc                  8064  0

Are there any modules pertinent to firewalling that you can see missing???

blackhole54 · 06-16-2006, 12:27 AM

Under some circumstances the "iptables" command can be out of sync with the kernel and cause problems. I was getting similar error messages once, and downloading the source for iptables and compiling it solved the problem. When you do this, you point the build script to the actual kernel source/configuration you are using.

Good luck.

osor · 06-16-2006, 02:14 PM

iptables is compiled for a specific kernel. If it happens to work correctly between kernel upgrades, this is pure luck. When compiling the kernel, make sure to enable the netfilter stuff you want. Then, when compiling iptables, make sure to give it the build directory of the kernel for which it is supposed to run.

pljvaldez · 06-16-2006, 03:12 PM

Do I just download the iptables source from the Sarge repository or do I need to download a tar.gz from another source? And does it matter which version I use with this particular kernel (the sarge version appears to be 1.2.11)?

osor · 06-16-2006, 03:53 PM

If you compiled a very recent vanilla kernel, I suggest you get the most recent iptables source (1.3.5) either from the netfilter site or from debian.

pljvaldez · 06-16-2006, 04:29 PM

Thanks, guys. Everything compiled fine and if I run /usr/local/sbin/iptables -V, then I get version 1.3.5 listed.

Okay, new question directly related. So how do I make guarddog use those iptables instead of the ones in /sbin? The new iptables are in /usr/local/sbin, which is in root's path (I have to enter the root password to use guarddog, so I assume it's running as root). But I keep getting the same errors which imply to me that the program is using the wrong iptables...

Maybe I'll just reinstall fwbuilder, I feel like I remember it having a place to put in the path to the iptables you wanted to use.

Oh, another question, should I point the program to use "iptables" or "ip6tables" if there's only one configurable?

blackhole54 · 06-17-2006, 06:36 AM

Quote:

Originally Posted by pljvaldez

So how do I make guarddog use those iptables instead of the ones in /sbin? The new iptables are in /usr/local/sbin, which is in root's path (I have to enter the root password to use guarddog, so I assume it's running as root). But I keep getting the same errors which imply to me that the program is using the wrong iptables...

Which version gets used depends on what guarddog does. If it generates a bash script you can look at the script and see whether it specifies a path to iptables. I.e. do the lines start with "iptables ..." or dothey start with /sbin/iptables ..." In the first case, if /usr/local/sbin is in $PATH before /sbin, then your new copy will be used. If it specifies the path, you either need to convince it to specify the right path, hand edit the script, or (using your package manager) remove the /sbin/iptables and replace it with a symlink pointing to the new one. (that last option is really ugly!)

If you have have verified that it is using the new version and you are still getting errors, your first thought about not having the right module compiled might be correct. If you have both kernels handy (you did keep the old one, didn't you?

) and can easily get each to use the proper copy of iptables, you might , in each case, save the output of lsmod to a file and compare them to see the difference. (The cut, sort and diff utitlities can help you compare them.)

Alternatively, you could try to see which iptable command(s) is generating the error(s). If the output of guarddog or fwbuilder is a bash script, you can manully add "set -x" to the beginning of the script, which will list each command as it executes so you can see what command(s) is generating the error(s).

.

Quote:

Originally Posted by pljvaldez

Oh, another question, should I point the program to use "iptables" or "ip6tables" if there's only one configurable?

ip6tables is for IPv6. I have no experience with v6, but unless you feel confident your are using v6, you are probably using IPv4, and iptables will work fine.

pljvaldez · 06-17-2006, 01:12 PM

Thanks. I actually ended up solving this problem a little differently. I went back and just compiled in all the iptables stuff instead of loading modules. Now it all seems to work with whatever firewall I use.

In the end I decided on using firestarter, which is kinda nice to work with because you can modify it easily on the fly and see what types of events are being hit on.

I still like fwbuilder for constructing my own, but the examples folder of the fwbuilder-doc is missing the init.d scripts and I'm not sure I would know how to write my own.

Thanks for everyone's help!