| View previous topic :: View next topic |
| Author |
Message |
dwC24
n00b
Joined: 08 Feb 2006
Posts: 3
|
 Posted: Wed Feb 08, 2006 9:01 am Post subject: iptables error |
 |
|
Hi everyone,
I am totally new to Gentoo so bare with me here.
I installed iptables included as a kernel module and I am receiving the following error:
| Code: | dwc2 ~ # /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: Unknown error 4294967295
|
Ultimately I am trying to use shorewall here but this error is being reported by iptables. I am not sure what I am missing but I am sure I have all of the appropriate modules loaded.
| Code: | Module Size Used by
ipt_pkttype 928 0
ipt_CLASSIFY 1344 0
ipt_owner 1280 0
ipt_recent 7596 0
ipt_iprange 1024 0
ipt_multiport 1536 0
iptable_mangle 1696 0
ip_nat_irc 1536 0
ip_nat_tftp 992 0
ip_nat_ftp 1952 0
iptable_nat 5220 0
ip_nat 11788 4 ip_nat_
ip_conntrack_irc 4272 1 ip_nat_
ip_conntrack_tftp 2552 1 ip_nat_
ip_conntrack_ftp 4976 1 ip_nat_
ip_conntrack 30328 8 ip_nat_ ,ip_conntrack_irc,ip_conntrack_tftp,ip_
iptable_filter 1696 1
usbcore 83748 1
iptable_raw 1184 0
ip_tables 17184 10 ipt_pk prange,ipt_multiport,iptable_mangle,ipt
s2io 50960 0
via_rhine 17796 0
8139too 20096 0
mii 3008 2 via_rhi
|
| Code: | dwc2 ~ # uname -a
Linux dwc2.scanbc.com 2.6.15-gentoo-r1 #4 SMP PREEMPT Tue Feb 7 23:21:31 PST 2006 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
|
| Code: | dwc2 ~ # zgrep -i netfilter /proc/config.gz
CONFIG_NETFILTER=y
dwc2 ~ # zgrep -i ipt /proc/config.gz
CONFIG_IP_NF_IPTABLES=m
|
I followed the directions as per this howto http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
Whats my next step here?
Thanks,
dwC
Last edited by dwC24 on Wed Feb 08, 2006 10:31 am; edited 1 time in total |
|
| Back to top |
|
 |
dwC24
n00b
Joined: 08 Feb 2006
Posts: 3
|
| Posted: Wed Feb 08, 2006 10:23 am Post subject: |
|
|
With Iptables 1.3.4 I get this error:
| Code: | dwc2 etc # iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables: No chain/target/match by that name
dwc2 etc #
|
With iptables 1.3.5 I get this error:
| Code: | dwc2 etc # iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables: Unknown error 4294967295
dwc2 etc #
|
dwC |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Wed Feb 08, 2006 8:42 pm Post subject: |
|
|
Could you run
grep _NF_ /usr/src/linux/.config
To show all kernel options for this. And paste here. |
|
| Back to top |
|
|
dwC24
n00b
Joined: 08 Feb 2006
Posts: 3
|
| Posted: Thu Feb 09, 2006 6:59 am Post subject: |
|
|
Here we go;
| Code: | dwc2 ~ # grep _NF_ /usr/src/linux/.config
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_NETBIOS_NS is not set
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
# CONFIG_IP_NF_MATCH_HELPER is not set
# CONFIG_IP_NF_MATCH_STATE is not set
# CONFIG_IP_NF_MATCH_CONNTRACK is not set
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
CONFIG_IP_NF_MATCH_SCTP=m
CONFIG_IP_NF_MATCH_DCCP=m
CONFIG_IP_NF_MATCH_COMMENT=m
# CONFIG_IP_NF_MATCH_CONNMARK is not set
# CONFIG_IP_NF_MATCH_CONNBYTES is not set
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_STRING=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
# CONFIG_IP_NF_TARGET_ULOG is not set
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_TARGET_NFQUEUE=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_TTL=m
# CONFIG_IP_NF_TARGET_CONNMARK is not set
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=m
# CONFIG_IP_NF_TARGET_NOTRACK is not set
# CONFIG_IP_NF_ARPTABLES is not set
dwc2 ~ #
|
|
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Thu Feb 09, 2006 8:23 am Post subject: |
|
|
| # CONFIG_IP_NF_MATCH_STATE is not set |
|
| Back to top |
|
|
freegianghu
n00b
Joined: 08 Feb 2005
Posts: 12
|
|
| Back to top |
|
|
mauricev
Apprentice
Joined: 22 Mar 2004
Posts: 203
|
| Posted: Sat Apr 08, 2006 10:38 pm Post subject: |
|
|
I am seeing the identical problem with 2.6.16.1. Looks like a bug in iptables.
| Quote: | | CONFIG_IP_NF_MATCH_STATE is not set |
It no longer exists. The iptables authors decided to complicate iptables by adding a separate set of modules under _XT_, so that one is there now and to make things difficult by not documenting any of the changes.  |
|
| Back to top |
|
|
outspoken
Guru
Joined: 14 Feb 2004
Posts: 464
Location: orlando, fl
|
| Posted: Tue Apr 25, 2006 9:25 pm Post subject: |
|
|
| you have to set CONFIG_NETFILTER_XTABLES in the kernel. many of the iptables config options have been moved here. like match, state, conntrack, etc. |
|
| Back to top |
|
|
mauricev
Apprentice
Joined: 22 Mar 2004
Posts: 203
|
| Posted: Tue Apr 25, 2006 9:33 pm Post subject: |
|
|
| It turns out there is another module, xt_tcpudp, that doesn't have any corresponding config option. It gets built when turning on xtables, which itself is the module called x_tables ; xt_tcpudp wasn't loading. Turning on automatic module loading in the kernel fixes this or it can be loaded manually. |
|
| Back to top |
|
|
afabco
Guru
Joined: 24 Feb 2004
Posts: 380
|
| Posted: Fri May 05, 2006 12:51 am Post subject: |
|
|
I'm getting a similar error:
| Code: | green linux # /etc/init.d/shorewall restart
* Restarting firewall ...
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
/etc/init.d/shorewall: line 26: 22032 Terminated /sbin/shorewall restart >/dev/ [ !! ] |
The two modules mentioned are loaded
| Code: | green linux # lsmod|grep x_tables
x_tables 10244 14 xt_tcpudp,ipt_TOS,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_esp,ipt_ECN,ipt_DSCP,ipt_ah,iptable_nat,ip_tables
|
| Code: | green linux # lsmod|grep xt_tcpudp
xt_tcpudp 3968 0
x_tables 10244 14 xt_tcpudp,ipt_TOS,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_esp,ipt_ECN,ipt_DSCP,ipt_ah,iptable_nat,ip_tables
|
There's nothing in the .config that obviously says "NF_FORWARD":
| Code: | green linux # grep _NF_ /usr/src/linux/.config
CONFIG_IP_NF_CONNTRACK=y
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
# CONFIG_IP_NF_FTP is not set
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_NETBIOS_NS is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
CONFIG_IP_NF_PPTP=m
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
# CONFIG_IP_NF_MATCH_IPRANGE is not set
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_RECENT is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
CONFIG_IP_NF_MATCH_AH_ESP=m
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
# CONFIG_IP_NF_MATCH_POLICY is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
# CONFIG_IP_NF_TARGET_ULOG is not set
# CONFIG_IP_NF_TARGET_TCPMSS is not set
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
# CONFIG_IP_NF_TARGET_TTL is not set
# CONFIG_IP_NF_RAW is not set
# CONFIG_IP_NF_ARPTABLES is not set
|
in the loaded modules, I'd expect to see an ipt_FORWARD, but don't see one, and couldn't find one in .config:
| Code: | lsmod|grep ip
iptable_mangle 3072 0
ipt_TOS 2816 0
ipt_SAME 2944 0
ipt_REJECT 4864 0
ipt_REDIRECT 2688 0
ipt_NETMAP 2688 0
ipt_MASQUERADE 3456 0
ipt_LOG 6272 0
ipt_esp 2560 0
ipt_ECN 3456 0
ipt_DSCP 2816 0
ipt_ah 2560 0
iptable_nat 7300 0
ip_nat 13868 5 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,iptable_nat
iptable_filter 3200 0
ip_tables 11508 3 iptable_mangle,iptable_nat,iptable_filter
x_tables 10244 14 xt_tcpudp,ipt_TOS,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_esp,ipt_ECN,ipt_DSCP,ipt_ah,iptable_nat,ip_tables
tulip 43296 0
|
What next?
Thanks!
_________________
Anyone who puts a small gloss on a fundamental technology, calls it proprietary, and then tries to keep others from building on it, is a thief.
-Tim O'Reilly |
|
| Back to top |
|
|
jpnag
Tux's lil' helper
Joined: 04 Apr 2005
Posts: 113
Location: Portugal/Oporto
|
| Posted: Sat May 06, 2006 12:29 am Post subject: |
|
|
in /etc/sysctl.conf set
| Code: |
net.ipv4.ip_forward = 1 |
_________________
Never argue with an idiot, we will drag you down to his level and beat you up with experience! |
|
| Back to top |
|
|
afabco
Guru
Joined: 24 Feb 2004
Posts: 380
|
| Posted: Wed May 10, 2006 4:59 pm Post subject: |
|
|
Hi
Sorry for the delay.
Made no difference.
| Code: |
# Disables packet forwarding
net.ipv4.ip_forward = 1
# Disables IP dynaddr
#net.ipv4.ip_dynaddr = 0
# Disable ECN
#net.ipv4.tcp_ecn = 0
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Enable reverse path
net.ipv4.conf.all.rp_filter = 1 |
I did un-rem and change the net.ipv4.ip_forward to 1. "net.ipv4.conf.default.rp_filter = 1" and "net.ipv4.conf.all.rp_filter = 1"
remain as they were.
sysctl in the kernel is enabled.
Here's the result:
| Code: | green linux # /etc/init.d/shorewall restart
* Restarting firewall ...
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
/etc/init.d/shorewall: line 26: 30833 Terminated /sbin/shorewall restart >/dev/ [ !! ]
green linux # |
What next?
Thanks!
_________________
Anyone who puts a small gloss on a fundamental technology, calls it proprietary, and then tries to keep others from building on it, is a thief.
-Tim O'Reilly |
|
| Back to top |
|
|
homry
Tux's lil' helper
Joined: 01 Apr 2005
Posts: 146
Location: Karlsruhe, Germany
|
| Posted: Sun May 14, 2006 8:12 am Post subject: |
|
|
got the same problem here.
the new iptables-options are well hidden in the config menu  . but even though i have everything i need in my kernel now, shorewall won't start correctly. i am using 2.6.16-r7
homry
_________________
IBM ThinkPad R51 |
|
| Back to top |
|
|
homry
Tux's lil' helper
Joined: 01 Apr 2005
Posts: 146
Location: Karlsruhe, Germany
|
| Posted: Wed May 17, 2006 8:09 pm Post subject: |
|
|
nobody else got this problem? before that i ran a 2.6.15-r1-kernel. everything was fine. anyone ran into problems with iptables after updating to a 2.6.16-kernel?
homry
_________________
IBM ThinkPad R51 |
|
| Back to top |
|
|
basement
n00b
Joined: 21 May 2006
Posts: 19
|
| Posted: Sun May 21, 2006 10:14 pm Post subject: |
|
|
| afabco wrote: |
Here's the result:
| Code: | green linux # /etc/init.d/shorewall restart
* Restarting firewall ...
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
/etc/init.d/shorewall: line 26: 30833 Terminated /sbin/shorewall restart >/dev/ [ !! ]
green linux # |
What next?
Thanks! |
I had this exact problem after initially folliowing Sith_Happens' shorewall guide, and adding a few things necessary. I'm using kernel 2.6.16-r7, shorewall version 3.0.4, iptables version 1.3.4. In the kernel, I had enabled Xtables support and IP tables support. I added everything under IP tables support as modules. When I then tried starting shorewall, I got the same error as you. After playing around a bit, I found one option solving my problem. In menuconfig, under Xtables support, I added "state" match support (compiled it into the kernel). That made the problem go away. |
|
| Back to top |
|
|
homry
Tux's lil' helper
Joined: 01 Apr 2005
Posts: 146
Location: Karlsruhe, Germany
|
| Posted: Mon May 22, 2006 6:40 pm Post subject: |
|
|
| basement wrote: |
I had this exact problem after initially folliowing Sith_Happens' shorewall guide, and adding a few things necessary. I'm using kernel 2.6.16-r7, shorewall version 3.0.4, iptables version 1.3.4. In the kernel, I had enabled Xtables support and IP tables support. I added everything under IP tables support as modules. When I then tried starting shorewall, I got the same error as you. After playing around a bit, I found one option solving my problem. In menuconfig, under Xtables support, I added "state" match support (compiled it into the kernel). That made the problem go away. |
perfect! that helped! thanks a lot 
homry
_________________
IBM ThinkPad R51 |
|
| Back to top |
|
|
afabco
Guru
Joined: 24 Feb 2004
Posts: 380
|
| Posted: Thu May 25, 2006 9:07 pm Post subject: |
|
|
That did the trick. Thanks!
| Quote: | | I added "state" match support (compiled it into the kernel) |
_________________
Anyone who puts a small gloss on a fundamental technology, calls it proprietary, and then tries to keep others from building on it, is a thief.
-Tim O'Reilly |
|
| Back to top |
|
|
F.Ultra
Apprentice
Joined: 17 Mar 2004
Posts: 169
Location: Sweden
|
| Posted: Fri May 26, 2006 4:40 pm Post subject: |
|
|
| OMG what have the iptables team done There are now way too many options and several of them seams to do the same thing, I hope there is some decent documentation coming out soon! |
|
| Back to top |
|
|
darcon
n00b
Joined: 26 Jun 2004
Posts: 46
|
| Posted: Mon May 29, 2006 1:09 am Post subject: |
|
|
Can someone please post their working kernel config? I've enabled everything I can find and I still can't get it to work  |
|
| Back to top |
|
|
JanisB
n00b
Joined: 30 May 2005
Posts: 15
|
| Posted: Mon Jun 12, 2006 11:37 pm Post subject: |
|
|
| Code: | GentooBox / # grep STATE /usr/src/linux/.config
CONFIG_NETFILTER_XT_MATCH_STATE=y
|
So, i have enabled this stuff in kernel, but still have the same as 1st post. What's wrong?
P.S. Offtopic detected :) |
|
| Back to top |
|
|
loux.thefuture
Tux's lil' helper
Joined: 15 Nov 2005
Posts: 135
|
| Posted: Mon Jun 19, 2006 8:30 am Post subject: |
|
|
Hello,
i had the same error 4294967295 when i switched to hardened sources
but know everything works,
below my config :
uname -a :
Linux barton 2.6.14-hardened-r8 #1 PREEMPT Mon Jun 19 10:16:21 CEST 2006 i686 AMD Athlon(tm) XP 2600+ GNU/Linux
cat .config :
...
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_NETBIOS_NS is not set
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_STEALTH=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
CONFIG_IP_NF_MATCH_SCTP=m
CONFIG_IP_NF_MATCH_DCCP=m
CONFIG_IP_NF_MATCH_COMMENT=m
CONFIG_IP_NF_MATCH_CONNMARK=m
CONFIG_IP_NF_MATCH_CONNBYTES=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_STRING=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
# CONFIG_IP_NF_TARGET_ULOG is not set
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_TARGET_NFQUEUE=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CONNMARK=m
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
...
Hope it will help you
bye
loux
_________________
"So long and thanks for all the fishs !" |
|
| Back to top |
|
|
nofff
n00b
Joined: 26 Nov 2004
Posts: 27
|
| Posted: Sat Jun 24, 2006 1:47 am Post subject: |
|
|
| work for me with -m conntrack --ctstate RELATED,ESTABLISHED |
|
| Back to top |
|
|
saepia
n00b
Joined: 12 Sep 2004
Posts: 42
Location: Krakow or Szczecin @ Poland (Europe)
|
| Posted: Fri Jun 30, 2006 7:58 pm Post subject: |
|
|
Suggestion: If you can't find "state match support" option, select Layer 3 Independent Connection tracking (EXPERIMENTAL) in Core Netfilter Configuration.
_________________
marcin.lewandowski |
|
| Back to top |
|
|
doggizback
n00b
Joined: 04 Dec 2004
Posts: 57
|
| Posted: Mon Oct 30, 2006 11:45 am Post subject: |
|
|
same troubles here. i appear to have every option under the sun enabled in the netfilter portion of the kernel config. no love just yet, wondering if it's something possibly as simple as updating iptables? Am on 1.3.5-r1 currently, latest out appears to be 1.3.5-r4
| Code: |
gentoob0x linux # iptables -A INPUT -p udp -m udp --dport 1434 -j TARPIT
iptables: Unknown error 4294967295
|
and of course, the .config
| Code: |
gentoob0x linux # grep IP_NF_ .config
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=y
CONFIG_IP_NF_CT_PROTO_SCTP=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_NETBIOS_NS=y
CONFIG_IP_NF_TFTP=y
CONFIG_IP_NF_AMANDA=y
CONFIG_IP_NF_PPTP=y
# CONFIG_IP_NF_H323 is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
CONFIG_IP_NF_MATCH_HASHLIMIT=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
CONFIG_IP_NF_NAT_SNMP_BASIC=y
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_NAT_AMANDA=y
CONFIG_IP_NF_NAT_PPTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_TTL=y
CONFIG_IP_NF_TARGET_CLUSTERIP=y
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
|
andddddd
| Code: |
gentoob0x linux # grep NETFILTER .config
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_BRIDGE_NETFILTER=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_DCCP=y
CONFIG_NETFILTER_XT_MATCH_ESP=y
CONFIG_NETFILTER_XT_MATCH_HELPER=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_POLICY=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
CONFIG_NETFILTER_XT_MATCH_REALM=y
CONFIG_NETFILTER_XT_MATCH_SCTP=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STRING=y
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
|
now, as seen above, these are compiled into the kernel rather than modular. Is this typically a problem?
have never been able to get TARPIT to work. Any ides, anything specifically That I could post that would be of any use that I've omitted? Many thanks in advance |
|
| Back to top |
|
|
DeathAndTaxes
Tux's lil' helper
Joined: 27 Mar 2003
Posts: 124
|
| Posted: Wed Nov 22, 2006 9:48 pm Post subject: |
|
|
Does this error just spontaneously occur? I've only run gentoo-sources 2.6.17-gentoo-r4 and iptables 1.3.5-r1 EVER, and suddenly this error is coming up with
-m state --state ESTABLISHED,RELATED.
It *was* working for the past 60 days (60 days' uptime), so what could have happened?!? |
|
| Back to top |
|
|
|
Networking & Security
