ip_tables for the 1000th time [solved] (I am soothed]

kamagurka · Last edited by kamagurka on Thu Apr 21, 2005 12:52 pm; edited 1 time in total

Ok, so I'm trying to get iptables running for what seems to be the 1000th time (this time with shorewall), and it just isn't happening. At first, I compiled ip_tables as a module, but that didn't work. So I just compiled it into the kernel itself, reemerged iptables, and tried starting shorewall, but guess what? For some reason, iptables complains that it can't find the module ip_tables:

mekong · Posted: Tue Apr 19, 2005 4:17 pm Post subject:

Did you forget to mount /boot after compile the new kernel? It's a common mistake. You can check the support for iptables of the current running kernel by doing this:

"zcat /proc/config.gz | grep _NF_"

kamagurka · Posted: Tue Apr 19, 2005 4:35 pm Post subject:

mekong · Posted: Tue Apr 19, 2005 4:53 pm Post subject:

Do you use lilo or grub? Do you forget to change the config of grub or lilo to point to the new kernel? You can add config.gz option on menuconfig: General Setup -> Enable access to .config through /proc/config.gz It helps me a lot when I'm lacking of coffee and making those common mistakes. Good luck. :wink:

kamagurka · Posted: Tue Apr 19, 2005 5:34 pm Post subject:

thanks for the pointer to the config.gz thing. I am however *positive* that I am running on the kernel I compiled. It's really some other problem.
BTW: I recompiled ip_tables as a module, (it also shows up in lsmod), reemerged iptables repea#tedly, but still no go. The errormessage has changed a bit, tho:

mekong · Posted: Tue Apr 19, 2005 5:50 pm Post subject:

Could you post your .config file?
Table filter support should be this line "CONFIG_IP_NF_FILTER=y"

On Menuconfig:
Device Drivers -> Networking support -> Networking options -> Network packet filtering -> IP: Netfilter Configuration -> Packet filtering [x]

kamagurka · Posted: Tue Apr 19, 2005 6:02 pm Post subject:

mekong · Posted: Tue Apr 19, 2005 6:35 pm Post subject:

Just select all options under IP: Netfilter Configuration, I'm sure you forget something shorewall need :twisted:

I can't get much info from the last error report. I don't know much about shorwall, can you generate the iptables rules with it then instead to run them all at once you run the iptables rule one by one? I can't guess which one kernel module shorewall need.

kamagurka · Posted: Tue Apr 19, 2005 6:55 pm Post subject:

Nope, that didn't help at all; I enabled everything (and I mean everything) in there, and nothing changes.
_________________
If you loved me, you'd all kill yourselves today.
--Spider Jerusalem, the Word

mekong · Posted: Tue Apr 19, 2005 7:07 pm Post subject:

Iptables could be very tricky, it needs support on both kernel- and userland, so maybe you've enabled all the support in the kernel but not in the iptables program itself. Try to recompile iptables with this USE flag "extensions"

kamagurka · Posted: Tue Apr 19, 2005 7:32 pm Post subject:

mekong · Posted: Tue Apr 19, 2005 7:55 pm Post subject:

Shorewall is sure complicated for a bash script which generate iptables rules :lol:

I think you better type those iptables rules directly which may cost less time reading dozen of shorewall config files.

From shorewall website

http://www.shorewall.net/ErrorMessages.html :lol:

kamagurka · Posted: Tue Apr 19, 2005 10:59 pm Post subject:

Alright, this was really helpful. The first thing I did was to upgrade to the ~x86 version of shorewall, since it seems to serve up much better output. Then I ran a "shorewall check". Here's the interesting bits:

splooge · l33t Joined: 30 Aug 2002 Posts: 636

<*> Connection state match support CONFIG_IP_NF_MATCH_STATE
<*> Connection tracking match support CONFIG_IP_NF_MATCH_CONNTRACK

Make sure those are enabled in your kernel or compiled as modules:
Device Drivers -> Networking Support -> Networking Options -> Network packet filtering (replaces ipchains) -> IP Netfilter Configuration
_________________
http://get.a.clue.de