| View previous topic :: View next topic |
| Author |
Message |
Kenji Miyamoto
Veteran
Joined: 28 May 2005
Posts: 1452
Location: Looking over your shoulder.
|
 Posted: Fri Mar 02, 2007 6:38 pm Post subject: Kernel Upgrade to 2.6.20 "Broke" Iptables (SOLVED) |
 |
|
When I upgraded to suspend2-sources 2.6.20 (and rebuilt everything against its headers), Iptables broke. The following set of rules, which worked previously, now fails to load at the COMMIT line: | Code: | # Generated by iptables-save v1.3.7 on Fri Jan 12 23:18:19 2007
*raw
:PREROUTING ACCEPT [836:729609]
:OUTPUT ACCEPT [855:75020]
COMMIT
# Completed on Fri Jan 12 23:18:19 2007
# Generated by iptables-save v1.3.7 on Fri Jan 12 23:18:19 2007
*mangle
:PREROUTING ACCEPT [836:729609]
:INPUT ACCEPT [834:728953]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [855:75020]
:POSTROUTING ACCEPT [855:75020]
COMMIT
# Completed on Fri Jan 12 23:18:19 2007
# Generated by iptables-save v1.3.7 on Fri Jan 12 23:18:19 2007
*filter
:INPUT ACCEPT [834:728953]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [855:75020]
# NTP
#-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --dport 123 -j ACCEPT
#-A INPUT -p udp -m state --state RELATED,ESTABLISHED --sport 123 -j ACCEPT
# CUPS
#-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --sport 631 -j ACCEPT
#-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --dport 631 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 631 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 631 -j ACCEPT
#-A INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --sport 631 -j ACCEPT
#-A INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --dport 631 -j ACCEPT
# BITTORRENT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 6969 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 6881:6889 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 6969 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 6881:6889 -j ACCEPT
# FTP
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 20:21 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 1024:65535 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 20:21 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 1024:65535 -j ACCEPT
# SSH
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 5132 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 5132 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 5132 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 5132 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 22 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 22 -j ACCEPT
# DHCP
#-A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# IMPORTANT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 8001 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 5921 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 80 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 443 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 873 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 8001 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 5921 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 80 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 443 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 873 -j ACCEPT
# MESSENGERS
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 1863 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 6891 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 5050 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 5190 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 5222:5223 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 8010 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 8010 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 1863 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 6891 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 5050 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 5190 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 5222:5223 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 8010 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 8010 -j ACCEPT
# NFS
#-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --sport 111 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 111 -j ACCEPT
#-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --dport 111 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 111 -j ACCEPT
#-A INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --sport 111 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 111 -j ACCEPT
#-A INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --dport 111 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 111 -j ACCEPT
#-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --dport 2049 -j ACCEPT
#-A INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --sport 2049 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 4000:4005 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 4000:4005 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 4000:4005 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 4000:4005 -j ACCEPT
#-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --sport 4000:4005 -j ACCEPT
#-A INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --dport 4000:4005 -j ACCEPT
#-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --dport 4000:4005 -j ACCEPT
#-A INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --sport 4000:4005 -j ACCEPT
#-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --dport 1009 -j ACCEPT
#-A INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED --sport 1009 -j ACCEPT
# MYSQL 3306
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 3306 -j ACCEPT
#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 3306 -j ACCEPT
# ARBITRARY
#-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 10024 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 10024 -j ACCEPT
# DNS
#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
#-A OUTPUT -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 53 -j ACCEPT
#-A OUTPUT -p udp -m state --state NEW,ESTABLISHED --sport 53 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED --dport 53 -j ACCEPT
#-A INPUT -p udp -m state --state ESTABLISHED --dport 53 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED --sport 53 -j ACCEPT
#-A INPUT -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
# LO
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT
-A INPUT -i lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT
# REJECT
-A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
-A INPUT -j LOG --log-prefix "INPUT_DROP: "
-A OUTPUT -j DROP
-A INPUT -j DROP
COMMIT
# Completed on Fri Jan 12 23:18:19 2007 |
I've narrowed it down to the "state" match support vanishing. Even though the search finds the state match support under the xtables support, it actually doesn't exist there. What happened to menuconfig? Where has the option gone?
_________________
[ Kawa-kun, new and improved!! ]
Alex Libman seems to be more of an anarchist than a libertarian.
Last edited by Kenji Miyamoto on Sat Mar 03, 2007 6:13 am; edited 3 times in total |
|
| Back to top |
|
 |
Dan
Veteran
Joined: 25 Oct 2005
Posts: 1302
|
| Posted: Fri Mar 02, 2007 7:47 pm Post subject: |
|
|
im using with gentoo-sources 2.6.20 w/o issues.
using iptables 1.3.7 .
Double check your kernel .config and make sure you didnt leave anything out.
2.6.20 had quite a few NET changes.
_________________
- Failure is not an option. It's bundled with your software. |
|
| Back to top |
|
|
Kenji Miyamoto
Veteran
Joined: 28 May 2005
Posts: 1452
Location: Looking over your shoulder.
|
| Posted: Fri Mar 02, 2007 10:18 pm Post subject: |
|
|
Then please explain where the configuration option for "state" is: | Code: | <*> Netfilter netlink interface
<*> Netfilter NFQUEUE over NFNETLINK interface
<*> Netfilter LOG over NFNETLINK interface
< > Netfilter connection tracking support
<*> Netfilter Xtables support (required for ip_tables)
<*> "CLASSIFY" target support
< > "DSCP" target support
<*> "MARK" target support
<*> "NFQUEUE" target Support
< > "NFLOG" target support
<*> "comment" match support
<*> "DCCP" protocol match support
<*> "DSCP" match support
<*> "ESP" match support
<*> "length" match support
<*> "limit" match support
<*> "mac" address match support
<*> "mark" match support
<*> IPsec "policy" match support
<*> Multiple port match support
< > "physdev" match support
<*> "pkttype" packet type match support
<*> "quota" match support
<*> "realm" match support
<*> "sctp" protocol match support (EXPERIMENTAL)
<*> "statistic" match support
<*> "string" match support
<*> "tcpmss" match support
< > "hashlimit" match support |
| Code: | Symbol: NETFILTER_XT_MATCH_STATE [=n]
Prompt: "state" match support
Defined at net/netfilter/Kconfig:586
Depends on: NET && INET && NETFILTER && NETFILTER_XTABLES && (IP_NF_CONNTRACK || NF_CONNTRACK)
Location:
-> Networking
-> Networking support (NET [=y])
-> Networking options
-> Network packet filtering framework (Netfilter) (NETFILTER [=y])
-> Core Netfilter Configuration
-> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y]) |
ALso, after adding a "NETFILTER_XT_MATCH_STATE=y" in .config, nothing new was compiled with make, and the line was removed in doing so. | Code: | #
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
# CONFIG_NF_CONNTRACK_ENABLED is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
# CONFIG_NETFILTER_XT_TARGET_DSCP is not set
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_NETFILTER_XT_MATCH_DCCP=y
CONFIG_NETFILTER_XT_MATCH_DSCP=y
CONFIG_NETFILTER_XT_MATCH_ESP=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_POLICY=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
# CONFIG_NETFILTER_XT_MATCH_PHYSDEV is not set
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
CONFIG_NETFILTER_XT_MATCH_QUOTA=y
CONFIG_NETFILTER_XT_MATCH_REALM=y
CONFIG_NETFILTER_XT_MATCH_SCTP=y
CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
CONFIG_NETFILTER_XT_MATCH_STRING=y
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set |
_________________
[ Kawa-kun, new and improved!! ]
Alex Libman seems to be more of an anarchist than a libertarian. |
|
| Back to top |
|
|
impulze
Tux's lil' helper
Joined: 23 Sep 2006
Posts: 82
Location: Taunusstein, Germany
|
| Posted: Fri Mar 02, 2007 10:37 pm Post subject: |
|
|
| Kenji Miyamoto wrote: | | Then please explain where the configuration option for "state" is: |
CONFIG_NETFILTER_XT_MATCH_STATE=y/m
| Code: | â Symbol: NETFILTER_XT_MATCH_STATE [=n]
â Prompt: "state" match support
â Defined at net/netfilter/Kconfig:399
â Depends on: NET && NETFILTER && NETFILTER_XTABLES && (IP_NF_CONNTRACK || NF_CONNTRACK)
| Location:
â -> Networking
â -> Networking support (NET [=y])
â -> Networking options
â -> Network packet filtering (replaces ipchains) (NETFILTER [=y])
â -> Core Netfilter Configuration
| -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y]) |
{edit}
Ooops you already stated that.
Well did you try a new configuration? Same issue there?
_________________
Please add [SOLVED] to your thread title when the issue no longer exists or has been solved for you. Thank you. |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Fri Mar 02, 2007 10:51 pm Post subject: |
|
|
| Kenji Miyamoto wrote: | | after adding a "NETFILTER_XT_MATCH_STATE=y" in .config |
Use make menuconfig instead. From /usr/src/linux/.config
| Quote: | | # Automatically generated make config: don't edit |
|
|
| Back to top |
|
|
Kenji Miyamoto
Veteran
Joined: 28 May 2005
Posts: 1452
Location: Looking over your shoulder.
|
| Posted: Sat Mar 03, 2007 5:12 am Post subject: |
|
|
The problem was that "connection tracking" wasn't enabled, and it wasn't required for previous versions of the kernel.
_________________
[ Kawa-kun, new and improved!! ]
Alex Libman seems to be more of an anarchist than a libertarian. |
|
| Back to top |
|
|
Kenji Miyamoto
Veteran
Joined: 28 May 2005
Posts: 1452
Location: Looking over your shoulder.
|
| Posted: Sat Mar 03, 2007 5:38 am Post subject: |
|
|
It still doesn't work: | Code: | # zcat /proc/config.gz | grep STATE
CONFIG_NETFILTER_XT_MATCH_STATE=y |
| Code: | # iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED --sport 53 -j ACCEPT
iptables: Invalid argument |
So, now what's wrong?
EDIT: Nevermind, IPv4 connection tracking needed to be enabled in addition to the "core" tracking.
_________________
[ Kawa-kun, new and improved!! ]
Alex Libman seems to be more of an anarchist than a libertarian. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
