Iptables

[josiah47]

Im trying to follow this guide

http://gentoo-wiki.com/HOWTO_Iptables_for_newbies#Kernel_Support

But when i get to this command

iptables-save > /etc/iptables.bak

i get this error

getsockopt failed strangely: No such file or directory

i have compiled support directly into the kernel, have double checked it, and even recompiled and tried again.
Do i have to compile them as modules?

Also anytime i try to do something with iptables it give the command, like start it, or trying to run ipkungfu.

Can anyone help me out?

Thanks
_________________
Josiah

[ecks]

loading them as modules would be alot easier to debug, id suggest you do that, and then manually try to load the modules into the kernel using modprobe and lsmod. if it gives you any errors at least you will know which module failed. you can also try looking at this guide too for the kernel options you have to enable. good luck and if youre still having trouble, please post your .config file.

[Hu]

Building it into the kernel is fine. Please post the output of emerge --info; emerge -pv iptables; zgrep -E '^[^#]' /proc/config.gz. Also, when posting error messages, please include the exact error text. Ideally, use the [code] (see Forum help: Outputting code or fixed width data) tag and include both the command you typed and the output it produced.

[josiah47]

[Hu]

There is nothing obviously wrong with your configuration, but you are missing quite a few options I normally use with firewall machines. You do not have automatic module loading turned on, which is recommended by the HOWTO (though it should not be required since you built in all the iptables functionality that you built at all).

The only options I use that you do not, which I expect could matter, are CONFIG_NETFILTER_NETLINK=y and CONFIG_IP_NF_MANGLE=y. I have a good many more differences due to richer tracking and mangling support. I should emphasize that I am not certain those two options are the cause of your problem, but they are the most obvious differences between my working configuration and your non-working one.

If changing those does not help, build various iptables options as modules and modprobe them until you find the culprit. I have never seen this particular error message occur, and would like to know which option is relevant, so please post back when you find it.

Based on inspection of the iptables code, you may be able to derive more information by emerging dev-util/strace and running strace iptables-save > /dev/null to show the system calls it makes. If you post that output, we may be able to isolate which getsockopt call is failing. However, knowing which call is failing may not enable us to immediately identify the correct kernel configuration option.

[josiah47]

bogie ~ # strace iptables-save >/dev/null
execve("/sbin/iptables-save", ["iptables-save"], [/* 28 vars */]) = 0
uname({sys="Linux", node="bogie", ...}) = 0
brk(0) = 0x80ec000
brk(0x80eccb0) = 0x80eccb0
set_thread_area({entry_number:-1 -> 6, base_addr:0x80ec830, limit:1048575, seg_3 2bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useab le:1}) = 0
brk(0x810dcb0) = 0x810dcb0
brk(0x810e000) = 0x810e000
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0xbfeca63a, 0xbfeca658) = -1 ENOENT (No such file or directory)
write(2, "getsockopt failed strangely: No "..., 55getsockopt failed strangely: N o such file or directory
) = 55
exit_group(1) = ?
Process 5738 detached
_________________
Josiah

[DavidMCS]

Are you using multiport rules by any chance?

Seems to me I remember some issue with iptables and multiport rules
generating that error.

--

[jakomo]

Hi!

I'll take the risk of, perhaps, saying something inapropiate but just a small question

Do you want to learn iptables or do you just want to setup your firewall?

Because if you're just looking for a way to setup your firewall, guarddog is waaaaay easier It's a nice graphical application that blocks everything by default and then lets you allow your traffic on a per protocol basis. It's really easy to use. Its companion, guidedog, easily lets you setup masquerading and port forwarding.

But if you need/want to learn iptables, just forget about this

Have fun,

jakomo

[Hu]

jakomo: right now, the iptables commands do not work for him. As far as I know, all the "firewall builder" tools are just wrappers around iptables, so fixing iptables is a requirement to make progress on this.

Josiah: based on that strace, I think getsockopt is returning -ENOENT for a call of IPT_SO_GET_REVISION_MATCH. The Netfilter code returns this if it does not find an entry in the match list in x_tables.c. It appears that this list will be empty with your kernel configuration. Add support for the IPv4 conntrack match and your problem should go away. If this works, it would be worth reporting to the Netfilter developers. It is possible to build a decent firewall without any of the matches that are placed in that list, so requiring those options to be enabled in order to use iptables seems a bit odd.

[josiah47]

Hello,
Thanks for all your responses.
i figured it out, i have static as a USE flag in make.conf for something else maybe DHCP.
anyways took it out remerged and bam works like a beaut, now just have to figure out how to route my one network eth1 to eth0 two different subnets
192.168.210.0 on eth1, kiosk network
192.168.201.0 on eth0 , servers

and i want eth1 to talk to eth0 servers
_________________
Josiah