| View previous topic :: View next topic |
| Author |
Message |
marrrrrrrc
n00b
Joined: 29 Jul 2007
Posts: 1
|
 Posted: Mon Jul 30, 2007 12:00 am Post subject: iptables-restore: failed |
 |
|
Anyone know what is generating this error?
| Code: | june ~ # iptables-restore /etc/iptables.bak
iptables-restore: line 25 failed |
This is what my /etc/iptables.bak file looks like:
| Code: | # Generated by iptables-save v1.3.5 on Fri Jul 27 19:06:57 2007
*filter
:INPUT ACCEPT [639:29668]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1198:163328]
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8488 -j ACCEPT
# ftp / webserver related
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Jul 27 19:06:57 2007 |
2.6.20-gentoo-r8 on amd64 |
|
| Back to top |
|
 |
mudrii
l33t
Joined: 26 Jun 2003
Posts: 789
Location: Singapore
|
| Posted: Mon Jul 30, 2007 12:03 am Post subject: |
|
|
Try to remove the line 25
COMMIT
_________________
www.gentoo.ro |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23088
|
| Posted: Mon Jul 30, 2007 3:13 am Post subject: |
|
|
| mudrii wrote: | Try to remove the line 25
COMMIT |
No, do not do that. iptables-restore is reporting the error there because it is encountering an error committing some part of the instructions above.
marrrrrrrc: this error usually indicates that you are trying to restore a ruleset which requires functionality that is not present in the currently active kernel. Check that you have enabled NETFILTER_XT_MATCH_STATE and IP_NF_TARGET_REJECT in your kernel. If you built those features as modules, you may need to load them manually (with /sbin/modprobe) before using iptables-restore. I do not know if iptables-restore will automatically load the required modules.
If problems persist, please post the output of zgrep -E '^[^#]' /proc/config.gz. |
|
| Back to top |
|
|
mudrii
l33t
Joined: 26 Jun 2003
Posts: 789
Location: Singapore
|
| Posted: Mon Jul 30, 2007 4:49 am Post subject: |
|
|
I sugestead to remove COMMIT to discover on what line problem may be.
Or you could use line by line input into your bash and discover the problem.
_________________
www.gentoo.ro |
|
| Back to top |
|
|
mno
Guru
Joined: 29 Dec 2003
Posts: 454
Location: Toronto, Canada
|
| Posted: Sat Aug 18, 2007 11:38 pm Post subject: |
|
|
Interesting, I also have the same problem with the 2.6.20-gentoo-r8 kernel. I used to be on 2.6.17, all was fine. With 2.6.20, I got error on COMMIT. I am now building 2.6.22-r2, maybe it'll work there. Also, went through menuconfig and set up some additional netfilter params there. Will post in a sec my results.
_________________
"Hello and goodbye. As always." | You can't use here?? | Unanswered |
|
| Back to top |
|
|
mno
Guru
Joined: 29 Dec 2003
Posts: 454
Location: Toronto, Canada
|
| Posted: Sun Aug 19, 2007 12:08 am Post subject: |
|
|
OK, with 2.6.22-r2, all works. However, I can't comment for sure if it's a specific issue with 2.6.20, as I went in and enabled some netfileter options that were previously disabled. With iptables, any errors means that you generally forgot to enable some module in the kernel config, or if you built it as a module and not into the kernel, then you forgot to enable that module.
_________________
"Hello and goodbye. As always." | You can't use here?? | Unanswered |
|
| Back to top |
|
|
coolsnowmen
Veteran
Joined: 30 Jun 2004
Posts: 1479
Location: No.VA
|
| Posted: Tue Aug 28, 2007 7:07 pm Post subject: |
|
|
they reorganized some of the network filtering options and they don't all appear unless you have certain things enabled. It was confusing, but if you look at what you have in your old kernel, and in your new kernel to a make menuconfig, hit the "/" key you can search for each symbol, and it will have what it takes to enable it.
For me this was enabling Full NAT. W/O this my iptables-restore was failing when I upgraded 2.6.16 to 2.6.21/22
FULL NAT was not visible until I enabled some other things that weren't in the 2.6.16 kernel
_________________
emerge: there are no ebuilds to satisfy "moo" |
|
| Back to top |
|
|
mno
Guru
Joined: 29 Dec 2003
Posts: 454
Location: Toronto, Canada
|
| Posted: Tue Aug 28, 2007 7:52 pm Post subject: |
|
|
Yes, the upgrade from the pre-2.6.20 kernels to 2.6.20 and later was a semi-big job. I actually didn't even notice that iptables didn't come up until a week later (!!) 
_________________
"Hello and goodbye. As always." | You can't use here?? | Unanswered |
|
| Back to top |
|
|
|
Networking & Security
