Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

shorewall doesn't start (iptables complains) [solved]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Pajarico
Guru
Guru


Joined: 01 May 2004
Posts: 493
Location: Madrid, España.
PostPosted: Sun Feb 05, 2006 12:17 am    Post subject: shorewall doesn't start (iptables complains) [solved] Reply with quote
Hi,

I have followed this howto. But when I try to start shorewall I get the following:
Code:
hal2000 lxuser # /etc/init.d/shorewall start
 * Re-caching dependency info (mtimes differ)...
 * Starting firewall ...
iptables: Unknown error 18446744073709551615
   ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: Unknown error 18446744073709551615
iptables: Unknown error 18446744073709551615
/etc/init.d/shorewall: line 14: 11163 Terminated             
/sbin/shorewall start >/dev/null                                                                   
[ !! ]
hal2000 lxuser #


Any ideas?

shorewall 2.4.2
iproute2 2.6.11.20050310-r1
iptables 1.3.5
kernel 2.6.14-r5
_________________
Gentoo: the only software worth paying that is free.

Last edited by Pajarico on Sun Feb 05, 2006 2:54 pm; edited 1 time in total
Back to top
View user's profile Send private message
rlittle
Apprentice
Apprentice


Joined: 17 Dec 2003
Posts: 200
PostPosted: Sun Feb 05, 2006 1:08 am    Post subject: Reply with quote
I don't have any idea if this is part of your problem or not, but last time I tried, not everything works if you compile iptables with the +ipv6 switch enabled, as in:

Code:
 ~ # emerge -pv iptables

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild     U ] net-firewall/iptables-1.3.5 [1.3.4] -extensions -ipv6 -static 187 kB

Total size of downloads: 187 kB


..but if no one else has a better suggestion, recompile iptables with -ipv6 and try again. (?)
_________________
I need a better signature...
Back to top
View user's profile Send private message
Pajarico
Guru
Guru


Joined: 01 May 2004
Posts: 493
Location: Madrid, España.
PostPosted: Sun Feb 05, 2006 1:29 am    Post subject: Reply with quote
Thank you. Everything on my system is already compiled with '-ipv6'.

From what I read in another thread, iptables is probably missing some of the netfilter options. My kernel config is as follows:
Code:
hal2000 lxuser # zgrep -i IP_NF_ /proc/config.gz
CONFIG_IP_NF_CONNTRACK=y
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
# CONFIG_IP_NF_FTP is not set
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_NETBIOS_NS is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_PPTP is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_LIMIT is not set
# CONFIG_IP_NF_MATCH_IPRANGE is not set
# CONFIG_IP_NF_MATCH_MAC is not set
# CONFIG_IP_NF_MATCH_PKTTYPE is not set
# CONFIG_IP_NF_MATCH_MARK is not set
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_RECENT is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
# CONFIG_IP_NF_MATCH_LENGTH is not set
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_MATCH_TCPMSS is not set
# CONFIG_IP_NF_MATCH_HELPER is not set
# CONFIG_IP_NF_MATCH_STATE is not set
# CONFIG_IP_NF_MATCH_CONNTRACK is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
# CONFIG_IP_NF_MATCH_DCCP is not set
# CONFIG_IP_NF_MATCH_COMMENT is not set
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
# CONFIG_IP_NF_MATCH_STRING is not set
CONFIG_IP_NF_FILTER=y
# CONFIG_IP_NF_TARGET_REJECT is not set
# CONFIG_IP_NF_TARGET_LOG is not set
# CONFIG_IP_NF_TARGET_ULOG is not set
# CONFIG_IP_NF_TARGET_TCPMSS is not set
# CONFIG_IP_NF_TARGET_NFQUEUE is not set
# CONFIG_IP_NF_NAT is not set
# CONFIG_IP_NF_MANGLE is not set
# CONFIG_IP_NF_RAW is not set
# CONFIG_IP_NF_ARPTABLES is not set


What working kernel configs do you people have?
_________________
Gentoo: the only software worth paying that is free.
Back to top
View user's profile Send private message
Pajarico
Guru
Guru


Joined: 01 May 2004
Posts: 493
Location: Madrid, España.
PostPosted: Sun Feb 05, 2006 2:21 pm    Post subject: Reply with quote
An update:
Code:
hal2000 lxuser # shorewall check /etc/shorewall/
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall//params ...
Processing /etc/shorewall//shorewall.conf...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Not available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Not available
   Ipset Match: Not available
   ROUTE Target: Not available
   Extended MARK Target: Not available
   CONNMARK Target: Available
   Connmark Match: Available
...
Configuration Validated

I have tweaked my kernel conf since the last post to satisfy all thse "not available" options but I can't find some of them. And "Owner Match" is activated but it appears as unavailable. :?:

My shorewall configuration:
/etc/shorewall/zones
Code:

#ZONE                   DISPLAY         COMMENTS
net                     Internet        The big bad Internet

/etc/shorewall/policy
Code:

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

/etc/shorewall/rules
Code:

#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)    DEST         LIMIT           GROUP
AllowWeb        net             fw
ACCEPT          net             fw              tcp     4972
ACCEPT          net             fw              udp     4976

_________________
Gentoo: the only software worth paying that is free.
Back to top
View user's profile Send private message
Pajarico
Guru
Guru


Joined: 01 May 2004
Posts: 493
Location: Madrid, España.
PostPosted: Sun Feb 05, 2006 2:53 pm    Post subject: Reply with quote
Ok, I had some missing kernel options. Following this helped me.
_________________
Gentoo: the only software worth paying that is free.
Back to top
View user's profile Send private message
BosHaus
n00b
n00b


Joined: 29 Jul 2004
Posts: 40
Location: Dallas, TX
PostPosted: Wed Jul 26, 2006 6:04 am    Post subject: Reply with quote
I had the same prob, messed with a lot of settings with no luck. Finally my solution was to upgrade to 2.6.17 and everything worked great.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy