Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-01-2006, 10:30 AM
|
#1
|
Senior Member
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Rep:
|
kernel upgrade and no iptables module found on 2.6.17.3
I upgraded my kernel to 2.6.17.3 from 2.6.13 and get a couple boot errors. The first is for my wireless card which needs linuxant's driverloader to work...I have to first uninstall the 2.6.13 driver and then recompile a new wireless driver for my new kernel. I can do this, but don't want to uninstall my NIC driver untill I'm certain that my new kernel works. The second error I don't understand:
FATAL: Module ip_tables not found.
iptables-restore v1.3.5: iptables-restore: unable to initializetable 'filter'
Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
I don't see an option for iptables in the .config file for 2.6.17.3-does 2.6.17.3 still use a firewall?
|
|
|
07-01-2006, 04:17 PM
|
#2
|
Senior Member
Registered: Dec 2005
Location: Indiana
Distribution: RHEL/CentOS/SL 5 i386 and x86_64 pata for IDE in use
Posts: 4,790
Rep:
|
The layout of the kernel changed a bit ago (when 2.6.15 came out if I remember correctly), this mean you need to manually add your netfilters back.
Some other layout changes were made when the 2.6.17 kernel was released also, I would suggest that you take the time and configure the new kernel again making sure you do not miss anything as far as as your hardware is concerned.
|
|
|
07-01-2006, 09:55 PM
|
#3
|
Senior Member
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Original Poster
Rep:
|
so are ip-tables deprecated (love that word) since kernel 2.6.15? It sounds like all the filtering is done with the kernel itself now-what's that called and where could I read about that?
|
|
|
07-01-2006, 10:17 PM
|
#4
|
Member
Registered: Jan 2006
Posts: 37
Rep:
|
After you built & installed the kernel, did you do a 'make modules_install' to actually put the modules in /lib/modules/?
|
|
|
07-02-2006, 08:45 AM
|
#5
|
Senior Member
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Original Poster
Rep:
|
yes I did overnight (it took no more than 10 hours on a 200 MHz box). Here's what I did with the 2.6.17.3 kernel after untarring and moving to /usr/src and making a symlink to /usr/src/linux:
make mrproper
copy old .config from 2.6.13 kernel directory to 2.6.17.3 directory
make menuconfig
make clean
make bzImage modules && make modules_install
go to bed
a /lib/modules/2.6.17.3 directory was built. I also had to use initrd to get it to boot and added needed entry to /etc/lilo and then did lilo.
|
|
|
07-02-2006, 08:20 PM
|
#6
|
Senior Member
Registered: Dec 2005
Location: Indiana
Distribution: RHEL/CentOS/SL 5 i386 and x86_64 pata for IDE in use
Posts: 4,790
Rep:
|
No ip-tables are not deprecated, the kernel layout has changed. The .config file from 2.6.13 does not configure the netfilter and other parts of 2.6.17.X. when using make menuconfig you must set these by hand yourself.
Let's make it simple no netfilters means ip-tables does not work, here check you current .config file for 2.6.17.X with is;
Code:
#
# Core Netfilter Configuration
#
# CONFIG_NETFILTER_NETLINK is not set
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
# CONFIG_NETFILTER_XT_MATCH_ESP is not set
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
# CONFIG_NETFILTER_XT_MATCH_POLICY is not set
# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_NETBIOS_NS is not set
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
# CONFIG_IP_NF_PPTP is not set
# CONFIG_IP_NF_H323 is not set
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH is not set
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
# CONFIG_IP_NF_TARGET_TCPMSS is not set
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
Should get you started in the right direction.
|
|
|
07-02-2006, 08:33 PM
|
#7
|
Senior Member
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Original Poster
Rep:
|
This is confusing. I run a server 24/7 and want a good firewall with kernel 2.6.17.3. I was using iptables with some simple rules I found here and understood that a bit. Now the firewall is in the kernel? I need 2 ports to be open for my network to work and I like having ssh and ftp capability. How do I specify that I need certain ports open?
I need to read-what's this new filtering scheme called or do you have a good link?
|
|
|
07-02-2006, 09:59 PM
|
#8
|
Senior Member
Registered: Dec 2005
Location: Indiana
Distribution: RHEL/CentOS/SL 5 i386 and x86_64 pata for IDE in use
Posts: 4,790
Rep:
|
Your reading much more into this then what is needed............
The layout has changed nothing else, this means netfilters are in your older 2.6.13 kernel .config file and are still in the newer then 2.6.15 kernels.
Please see; http://www.linuxquestions.org/questi...d.php?t=428770
|
|
|
07-03-2006, 01:20 AM
|
#9
|
Member
Registered: Oct 2005
Location: Rhode Island, USA
Distribution: Slackware, Xubuntu
Posts: 348
Rep:
|
I just compiled a 2.6.17.3 kernel last night and am happy to report that it was a flawless compile. I can attest that the layout has changed, but I was able to compile the iptables modules just fine. Everything works just the way it used to. From what I understand, iptables has been "in" the kernel for quite some time, they're just usually modules. I successfully compiled these last night, I'll let you know how I did it.
I don't edit the config file manually anymore, but I use menuconfig exclusively. I would suggest running menuconfig before editing the .config file. For the sake of being thorough, I briefly went over Lenard's post and found it to be what you're looking for.
Quote:
Originally Posted by Lenard
The .config file from 2.6.13 does not configure the netfilter and other parts of 2.6.17.X. when using make menuconfig you must set these by hand yourself.
|
He doesn't mean that the firewall settings are configured in the kernel, he means that the old kernel config files are not backward compatible, and will not enable iptables unless you know what the config is supposed to look like. Use make oldconfig and then make menuconfig to make sure the old settings actually moved over. (which is why I don't even bother anymore... make menuconfig exclusively for me...) Then check the .config file as Lenard posted.
When you use {menu,g,x}config for the 2.6.17.3 kernel, the options for iptables from the main menu are:
Code:
Networking-->
Networking Options-->
Enable: Network packet filtering (replaces ip_chains)-->
IP: Netfilter Configuration-->
Enable: IP Tables support... and enable whatever you want
I usually enable everything with M because I'm not a network security guru... and I just don't want to take the chance in not compiling something and have the firewall need it later.
Once the kernel modules are up and running you use iptables just like you always used to... nothing new.
Good luck... I hope I was able to help.
|
|
|
07-03-2006, 03:12 PM
|
#10
|
Senior Member
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Original Poster
Rep:
|
I see...my iptables configuration is still good, I just need to enable all the filtering capabilities in the kernel. That's also an informative post.
Thanks for all the help!
|
|
|
07-19-2006, 04:23 AM
|
#11
|
Member
Registered: Oct 2004
Location: Norway
Distribution: Slackware, CentOS
Posts: 641
Rep:
|
What's the best way to tell which MATCH rules/modules should be included and which to be left out ?
Or can I just compile all of them as modules, as the kernel will only load those it needs anyway, and thus I have absolutely no performance penalty? Is this a correct assumption?
Any guides available outlining this to give a better understanding?
-Y1
|
|
|
All times are GMT -5. The time now is 09:02 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|