LinuxQuestions.org - kernel upgrade and no iptables module found on 2.6.17.3

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - kernel upgrade and no iptables module found on 2.6.17.3 (https://www.linuxquestions.org/questions/slackware-14/kernel-upgrade-and-no-iptables-module-found-on-2-6-17-3-a-460025/)

kernel upgrade and no iptables module found on 2.6.17.3

I upgraded my kernel to 2.6.17.3 from 2.6.13 and get a couple boot errors. The first is for my wireless card which needs linuxant's driverloader to work...I have to first uninstall the 2.6.13 driver and then recompile a new wireless driver for my new kernel. I can do this, but don't want to uninstall my NIC driver untill I'm certain that my new kernel works. The second error I don't understand:

FATAL: Module ip_tables not found.
iptables-restore v1.3.5: iptables-restore: unable to initializetable 'filter'

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

I don't see an option for iptables in the .config file for 2.6.17.3-does 2.6.17.3 still use a firewall?

The layout of the kernel changed a bit ago (when 2.6.15 came out if I remember correctly), this mean you need to manually add your netfilters back.

Some other layout changes were made when the 2.6.17 kernel was released also, I would suggest that you take the time and configure the new kernel again making sure you do not miss anything as far as as your hardware is concerned.

so are ip-tables deprecated (love that word) since kernel 2.6.15? It sounds like all the filtering is done with the kernel itself now-what's that called and where could I read about that?

After you built & installed the kernel, did you do a 'make modules_install' to actually put the modules in /lib/modules/?

yes I did overnight (it took no more than 10 hours on a 200 MHz box). Here's what I did with the 2.6.17.3 kernel after untarring and moving to /usr/src and making a symlink to /usr/src/linux:

make mrproper
copy old .config from 2.6.13 kernel directory to 2.6.17.3 directory
make menuconfig
make clean
make bzImage modules && make modules_install
go to bed

a /lib/modules/2.6.17.3 directory was built. I also had to use initrd to get it to boot and added needed entry to /etc/lilo and then did lilo.

No ip-tables are not deprecated, the kernel layout has changed. The .config file from 2.6.13 does not configure the netfilter and other parts of 2.6.17.X. when using make menuconfig you must set these by hand yourself.

Let's make it simple no netfilters means ip-tables does not work, here check you current .config file for 2.6.17.X with is;

Code:

#

# Core Netfilter Configuration

#

# CONFIG_NETFILTER_NETLINK is not set

CONFIG_NETFILTER_XTABLES=m

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m

CONFIG_NETFILTER_XT_TARGET_MARK=m

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m

CONFIG_NETFILTER_XT_TARGET_NOTRACK=m

CONFIG_NETFILTER_XT_MATCH_COMMENT=m

CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

CONFIG_NETFILTER_XT_MATCH_DCCP=m

# CONFIG_NETFILTER_XT_MATCH_ESP is not set

CONFIG_NETFILTER_XT_MATCH_HELPER=m

CONFIG_NETFILTER_XT_MATCH_LENGTH=m

CONFIG_NETFILTER_XT_MATCH_LIMIT=m

CONFIG_NETFILTER_XT_MATCH_MAC=m

CONFIG_NETFILTER_XT_MATCH_MARK=m

# CONFIG_NETFILTER_XT_MATCH_POLICY is not set

# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set

CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m

CONFIG_NETFILTER_XT_MATCH_REALM=m

CONFIG_NETFILTER_XT_MATCH_SCTP=m

CONFIG_NETFILTER_XT_MATCH_STATE=m

CONFIG_NETFILTER_XT_MATCH_STRING=m

CONFIG_NETFILTER_XT_MATCH_TCPMSS=m



#

# IP: Netfilter Configuration

#

CONFIG_IP_NF_CONNTRACK=m

CONFIG_IP_NF_CT_ACCT=y

# CONFIG_IP_NF_CONNTRACK_MARK is not set

# CONFIG_IP_NF_CONNTRACK_EVENTS is not set

CONFIG_IP_NF_CT_PROTO_SCTP=m

CONFIG_IP_NF_FTP=m

CONFIG_IP_NF_IRC=m

# CONFIG_IP_NF_NETBIOS_NS is not set

CONFIG_IP_NF_TFTP=m

CONFIG_IP_NF_AMANDA=m

# CONFIG_IP_NF_PPTP is not set

# CONFIG_IP_NF_H323 is not set

CONFIG_IP_NF_QUEUE=m

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP_NF_MATCH_IPRANGE=m

CONFIG_IP_NF_MATCH_TOS=m

CONFIG_IP_NF_MATCH_RECENT=m

CONFIG_IP_NF_MATCH_ECN=m

# CONFIG_IP_NF_MATCH_DSCP is not set

# CONFIG_IP_NF_MATCH_AH is not set

CONFIG_IP_NF_MATCH_TTL=m

CONFIG_IP_NF_MATCH_OWNER=m

CONFIG_IP_NF_MATCH_ADDRTYPE=m

CONFIG_IP_NF_MATCH_HASHLIMIT=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_LOG=m

CONFIG_IP_NF_TARGET_ULOG=m

# CONFIG_IP_NF_TARGET_TCPMSS is not set

CONFIG_IP_NF_NAT=m

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_TARGET_SAME=m

CONFIG_IP_NF_NAT_SNMP_BASIC=m

CONFIG_IP_NF_NAT_IRC=m

CONFIG_IP_NF_NAT_FTP=m

CONFIG_IP_NF_NAT_TFTP=m

CONFIG_IP_NF_NAT_AMANDA=m

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_TARGET_TOS=m

CONFIG_IP_NF_TARGET_ECN=m

CONFIG_IP_NF_TARGET_DSCP=m

CONFIG_IP_NF_TARGET_TTL=m

CONFIG_IP_NF_RAW=m

CONFIG_IP_NF_ARPTABLES=m

CONFIG_IP_NF_ARPFILTER=m

CONFIG_IP_NF_ARP_MANGLE=m

Should get you started in the right direction.

This is confusing. I run a server 24/7 and want a good firewall with kernel 2.6.17.3. I was using iptables with some simple rules I found here and understood that a bit. Now the firewall is in the kernel? I need 2 ports to be open for my network to work and I like having ssh and ftp capability. How do I specify that I need certain ports open?

I need to read-what's this new filtering scheme called or do you have a good link?

Your reading much more into this then what is needed............

The layout has changed nothing else, this means netfilters are in your older 2.6.13 kernel .config file and are still in the newer then 2.6.15 kernels.

Please see; http://www.linuxquestions.org/questi...d.php?t=428770

I just compiled a 2.6.17.3 kernel last night and am happy to report that it was a flawless compile. I can attest that the layout has changed, but I was able to compile the iptables modules just fine. Everything works just the way it used to. From what I understand, iptables has been "in" the kernel for quite some time, they're just usually modules. I successfully compiled these last night, I'll let you know how I did it.

I don't edit the config file manually anymore, but I use menuconfig exclusively. I would suggest running menuconfig before editing the .config file. For the sake of being thorough, I briefly went over Lenard's post and found it to be what you're looking for.

Quote:

Originally Posted by Lenard

The .config file from 2.6.13 does not configure the netfilter and other parts of 2.6.17.X. when using make menuconfig you must set these by hand yourself.

He doesn't mean that the firewall settings are configured in the kernel, he means that the old kernel config files are not backward compatible, and will not enable iptables unless you know what the config is supposed to look like. Use make oldconfig and then make menuconfig to make sure the old settings actually moved over. (which is why I don't even bother anymore... make menuconfig exclusively for me...) Then check the .config file as Lenard posted.

When you use {menu,g,x}config for the 2.6.17.3 kernel, the options for iptables from the main menu are:

Code:

Networking-->

Networking Options-->

Enable: Network packet filtering (replaces ip_chains)-->

IP: Netfilter Configuration-->

Enable: IP Tables support... and enable whatever you want

I usually enable everything with M because I'm not a network security guru... and I just don't want to take the chance in not compiling something and have the firewall need it later.

Once the kernel modules are up and running you use iptables just like you always used to... nothing new. :)

Good luck... I hope I was able to help.

I see...my iptables configuration is still good, I just need to enable all the filtering capabilities in the kernel. That's also an informative post.

Thanks for all the help!

What's the best way to tell which MATCH rules/modules should be included and which to be left out ?

Or can I just compile all of them as modules, as the kernel will only load those it needs anyway, and thus I have absolutely no performance penalty? Is this a correct assumption?

Any guides available outlining this to give a better understanding?

-Y1