LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-12-2006, 08:04 AM   #1
alfista
LQ Newbie
 
Registered: Oct 2006
Posts: 24

Rep: Reputation: 15
HELP! Iptables problem after kernel upgrade


Hi All,

Fairly new to linux - probably know just enough to be dangerous.

I've been fighting with a CentOS Server 4.4 install that had really bad IO performance and recently compiled my own kernel to remedy the problem. I'm now running a 2.6.18 kernel and thankfully the IO problems appear to have gone away.

However, in doing so, I appear to have broken iptables. I get these messages when starting the service:

Code:
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: raw nat mangle filter     [FAILED]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules: iptables-restore: line 33 failed
                                                           [FAILED]
my /etc/sysconfig/iptables file looks like this and was working before. Even a config file copied from a Fedora Core 4 2.6.17 kernel gives this error:

Code:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -o eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_IN:
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 21 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 10000 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 8080 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 143 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 5729 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 389 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 443 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
Any help would be seriously appreciated. I've spent too much time fighting with this but don't want to return to windows which was working great as a VMware host prior to this conversion.

Thanks in advance!

Jason
 
Old 10-12-2006, 08:53 AM   #2
Lenard
Senior Member
 
Registered: Dec 2005
Location: Indiana
Distribution: RHEL/CentOS/SL 5 i386 and x86_64 pata for IDE in use
Posts: 4,790

Rep: Reputation: 57
So, it looks like you forgot to configure the Netfilters section when you built your kernel, try again.........

Maybe this will help;

#
# Core Netfilter Configuration
#
# CONFIG_NETFILTER_NETLINK is not set
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
# CONFIG_NETFILTER_XT_MATCH_ESP is not set
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
# CONFIG_NETFILTER_XT_MATCH_POLICY is not set
# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_NETBIOS_NS is not set
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
# CONFIG_IP_NF_PPTP is not set
# CONFIG_IP_NF_H323 is not set
# CONFIG_IP_NF_SIP is not set
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH is not set
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
# CONFIG_IP_NF_TARGET_TCPMSS is not set
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m

FYI: you should know that there may be a bug with the 2.6.18 kernel source and ext3, maybe you should use the 2.6.19-rc1-git9 kernel instead;

http://lwn.net/Articles/203536/ ;follow the Dave Jone blog link.

.
 
Old 10-12-2006, 09:36 AM   #3
alfista
LQ Newbie
 
Registered: Oct 2006
Posts: 24

Original Poster
Rep: Reputation: 15
Thanks Lenard, I'll try that other kernel. I was fairly certain I activated all the netfilters stuff, but what do I know?

Just so I'm sure I understand properly, I copy this text into the .config file that is generated from my running of the command 'make oldconfig'

Thanks again!

Cheers!

jason
 
Old 10-12-2006, 10:03 AM   #4
alfista
LQ Newbie
 
Registered: Oct 2006
Posts: 24

Original Poster
Rep: Reputation: 15
one other questions...when I do the 'make install' step, it complains about both of my onboard controllers:

WARNING: No module sata_sil found for kernel 2.6.18, continuing anyway
WARNING: No module 3w-9xxx found for kernel 2.6.18, continuing anyway

the machine boots ok though. What did I miss?
 
Old 10-12-2006, 10:13 AM   #5
alfista
LQ Newbie
 
Registered: Oct 2006
Posts: 24

Original Poster
Rep: Reputation: 15
new error after recompiling and rebooting:

Code:
[root@vmware ~]# service iptables start
Applying iptables firewall rules: iptables-restore v1.2.11: iptables-restore: unable to initializetable 'filter'

Error occurred at line: 3
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
                                                           [FAILED]
the 'iptables' file is the same as before.
 
Old 10-12-2006, 12:16 PM   #6
Lenard
Senior Member
 
Registered: Dec 2005
Location: Indiana
Distribution: RHEL/CentOS/SL 5 i386 and x86_64 pata for IDE in use
Posts: 4,790

Rep: Reputation: 57
The steps in order to build a kernel on a Red Hat based system;

make mrproper (to start clean)
make clean (keep the current config file but clean everything else basically)
make menuconfig
make (this is a liitle different from the rebuild guide, get used to it)
make modules_install
make install

Using a Red Hat suppiled kernel configuration may not work even by using 'make oldconfig' command since the Red Hat suppied kernels (source and binary) are not one-to-one compatible with the vanilla kernel sources.

Please check your current kernel .config file with the section I provided earlier.


$ uname -a
Linux Aspire5000 2.6.19-rc1-git5 #1 Mon Oct 9 15:07:42 EDT 2006 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/*release
CentOS release 4.4 (Final)
 
Old 10-12-2006, 12:34 PM   #7
alfista
LQ Newbie
 
Registered: Oct 2006
Posts: 24

Original Poster
Rep: Reputation: 15
Thanks Lenard...I'm learning a lot as I fumble through this.

I can't successfully run make menuconfig as I get these errors:

Code:
[root@vmware linux-2.6.18]# make menuconfig
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/basic/docproc
  HOSTCC  scripts/kconfig/conf.o
  HOSTCC  scripts/kconfig/kxgettext.o
  HOSTCC  scripts/kconfig/mconf.o
  SHIPPED scripts/kconfig/zconf.tab.c
  SHIPPED scripts/kconfig/lex.zconf.c
  SHIPPED scripts/kconfig/zconf.hash.c
  HOSTCC  scripts/kconfig/zconf.tab.o
  HOSTLD  scripts/kconfig/mconf
  HOSTCC  scripts/kconfig/lxdialog/checklist.o
In file included from scripts/kconfig/lxdialog/checklist.c:24:
scripts/kconfig/lxdialog/dialog.h:31:20: curses.h: No such file or directory
In file included from scripts/kconfig/lxdialog/checklist.c:24:
scripts/kconfig/lxdialog/dialog.h:128: error: syntax error before "use_colors"
scripts/kconfig/lxdialog/dialog.h:128: warning: type defaults to `int' in declaration of `use_colors'
scripts/kconfig/lxdialog/dialog.h:128: warning: data definition has no type or storage class
meanwhile the other two commands you specified generate this output:

Code:
[root@vmware ~]# uname -a
Linux vmware.lunawire.com 2.6.18 #4 SMP Thu Oct 12 11:02:38 EDT 2006 x86_64 x86_64 x86_64 GNU/Linux
[root@vmware ~]# cat /etc/*release
CentOS release 4.4 (Final)
 
Old 10-22-2006, 03:20 AM   #8
savvas
LQ Newbie
 
Registered: Oct 2006
Posts: 1

Rep: Reputation: 0
I seem to be having the same problem here, I've noticed it when trying to run APF on a new box, but the kernel update seems to have screwed something up with iptables which makes it hard to function proper.

This is my output:

-------------
[root@** init.d]# service iptables restart
Applying iptables firewall rules: iptables-restore v1.2.11: iptables-restore: unable to initializetable 'filter'

Error occurred at line: 3
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[FAILED]
-------------

I've used yum to update the kernel before, as I've done that in the past with success I saw no harm in doing that again, however iptables stopped functioning properly which of course is not good.

Any ideas? Thanks!
 
Old 10-30-2006, 09:03 AM   #9
peterk1966
LQ Newbie
 
Registered: Oct 2006
Posts: 1

Rep: Reputation: 0
Lightbulb Applying iptables firewall rules: iptables-restore: line 19 failed

After upgrading my kernel from 2.6.14.3 to 2.6.18.1, I got the error: "Applying iptables firewall rules: iptables-restore: line 19 failed"

It failed on the REJECT statement:
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT

(I used the .config from 2.6.14.3 kernel build, to build the 2.6.18.1)

After changing:

CONFIG_IP_NF_TARGET_REJECT=m

to

CONFIG_IP_NF_TARGET_REJECT=y

in the kernel .config file, the problem was solved.
 
Old 07-06-2007, 07:58 AM   #10
belengher
LQ Newbie
 
Registered: Jul 2007
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by savvas
I seem to be having the same problem here, I've noticed it when trying to run APF on a new box, but the kernel update seems to have screwed something up with iptables which makes it hard to function proper.

This is my output:

-------------
[root@** init.d]# service iptables restart
Applying iptables firewall rules: iptables-restore v1.2.11: iptables-restore: unable to initializetable 'filter'

Error occurred at line: 3
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[FAILED]
-------------

I've used yum to update the kernel before, as I've done that in the past with success I saw no harm in doing that again, however iptables stopped functioning properly which of course is not good.

Any ideas? Thanks!
i had this problem because i used a text editor on the file, use iptables-save to a file then if you use iptables-restore with it, if it works your rules file is no longer compatible with iptables, i think you might find a repair utility for it, i can't remeber it's name
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
problem after kernel upgrade kissme1 Linux - Newbie 9 12-18-2007 11:36 AM
kernel upgrade and no iptables module found on 2.6.17.3 linuxhippy Slackware 10 07-19-2006 04:23 AM
Problem updating iptables, with 2.6.16 kernel. RavenOfOdin Linux - Kernel 9 06-02-2006 05:01 PM
Kernel upgrade problem (2.6.16.17) hlstriker Linux - Kernel 7 05-23-2006 04:12 PM
kernel upgrade problem andy18 Linux - Software 2 08-20-2003 05:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration