ip tables issues...

[Zarathustra[H]]

Hey all..


I'm not particularly good at configuring firewalls manually, so I decided to try some of the GUI alternatives out there.

I have tried both firestarter and kmyfirwall from the portage tree.

Neither of them work.

The error from kmyfirwall looks like this:

[Ian Goldby]

If you compile all of the 'IP: Netfilter Configuration --->' options as modules it will do no harm. Only the ones that are needed for your firewall rules will be loaded. You'll need of course 'Network packet filtering (replaces ipchains)' as well.

[Zarathustra[H]]

[Ian Goldby]

The dreaded Kernel Build errors...

The usual solution is to copy your .config file to a safe place, then

[tmo318]

I have the same problem as the original poster. I tried the
# make mrproper
# make menuconfig
# make dep
# make clean && make bzImage modules modules_install

Here is the error message that I get.
KBUILD_BASENAME=ip_conntrack_ftp -c -o ip_conntrack_ftp.o ip_conntrack_ftp.c
ip_conntrack_ftp.c:439: parse error before "this_object_must_be_defined_as_export_objs_in_the_Makefile"
ip_conntrack_ftp.c:439: warning: type defaults to `int' in declaration of `this_object_must_be_defined_as_export_objs_in_the_Makefile'
ip_conntrack_ftp.c:439: warning: data definition has no type or storage class
make[3]: *** [ip_conntrack_ftp.o] Error 1
make[3]: Leaving directory `/usr/src/linux-2.4.20-gentoo-r2/net/ipv4/netfilter'
make[2]: *** [first_rule] Error 2
make[2]: Leaving directory `/usr/src/linux-2.4.20-gentoo-r2/net/ipv4/netfilter'
make[1]: *** [_subdir_ipv4/netfilter] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.20-gentoo-r2/net'
make: *** [_dir_net] Error 2

I think it might have to do with export_objs in the Makefile, but I do not know what that is.

Thanks

Tim

[gondoi]

I am getting the same errors on compile too.

I have all of them as modules.

Does anyone know the solution?

[papabean]

After reading this:

[coolcut]

under which section can I find the options Ip: Netfilter Configuration?

Because I cannot find it under the Network Options???


Tnx

[papabean]

It can be found under:

[OdinsDream]

I doubt you'll need to enable all of the options... I'm using iptables to do masquerading and NAT translation for my network from gentoo. My kernel config is as follows:

[papabean]

In your estimation, is it better to have the filtering options compiled directly into the kernel or as modules?
_________________
-- The world is full of tough guys. It doesn't need me to be one too.

[wolf31o2]

Personally, I keep all the filtering options directly in the kernel. I do this because I enable my filtering rules before I allow my networking to start. This way I am protected at all times. After all, you never know when that magic packet might just come in in the few seconds between interface going up and filter rules being applied.

[LornKnight]

What kernel is everyone using, the latest (that would be gentoo-sources 2.4.20_rc2 as of this time of writing as far as I know)?

I have had seemingly infinite trouble with iptables, be it a set of modules or compiled directly into the kernel, in the gentoo-sources kernels 2.4.20_rc1 and rc2. I had tried all the above mentioned fixes, yet, I still could not manage to get iptables working.

In the end, I had to revert to the gentoo-sources 2.4.19_rc9 kernel. Everything iptables related works fine in this version, at least it does for me. Also a few more GRSecurity options that I like to enable seem to be available in 2.4.19_rc9 as well.

I’m not sure if people are still having problems, but if you simply must have iptables working, and you are using the latest gentoo-sources 2.4.20_rc2 kernel, you might try using the gentoo-sources 2.4.19_rc9 kernel instead to see if that might help fix any iptables issues. It worked well for me.
_________________
What the hell, he thought, you're only young once, and threw himself out of the window.
That would at least keep the element of surprise on his side.

[atze]

Hi everyone,

I have the same problem:

modprobe: Can't locate module ip_tables

But I have compiled the kernel as you all have said above. Is it becouse I have compiled the Network packet filtering (replaces ipchains) directly in the kernel?

Thanks in advance
Atze

[Zarathustra[H]]

[LornKnight]

I have had virtually the same problems with the 2.4.20_rc1 and & rc2 kernels. I would revert to the 2.4.19_rc10 or rc9 kernel. That is what I did to get iptables working.

In my 2.4.19_rc9 kernel, I have 'Network Packet Filtering (replaces ipchains)' (CONFIG_NETFILTER) compiled directly into the kernel, and the other options under 'IP Netfilter Configuration --->' are compiled as modules.

Only the necessary modules for your firewall rules will be inserted, at least as far as I can tell.
_________________
What the hell, he thought, you're only young once, and threw himself out of the window.
That would at least keep the element of surprise on his side.

[GentooOpus]

I think its strictly related to the gentoo-sources kernel series.

I've got identically configured kernels (were possible) one is a non-gentoo vanilla source from kernel.org (2.4.20) and the other is the the gentoo-2.4.20-rc2 series.

I had trouble immediately with nat/masq on my home network. I at first thought it might have been firestarter but I switch to shorewall and experienced the same problems.

From the limited information that I can get out of the iptables/firewall debug all of the modules associated with Masquerade, TOS, and ECN are completely hosed!!! I say limited because the information is sparce, I can't even seem to get iptables debug to function properly. I've even mrpropered the kernel and rebuilt but no result.

Fortunately, the only thing that I needed/wanted from the gentoo kernel is the scheduler and preempt kernel options. So switching back causes no major loss of function.

Opus
-----------------------------
Anyone notice that MSN's mascot is a bug?

[Zarathustra[H]]

[pashvin]

[Genone]

The "realm" option in netfilter seems to be broken, but I have all other netfilter options successfully compiled as modules or in the kernel on my router which is running gentoo-sources-2.4.20-r2, even the ipv6 ones. But I agree that the patches for gentoo-sources-2.4.20 were not really tested, I have several other problems with these were vanilla-sources-2.4.20 and gentoo-sources-2.4.19 don't make any problems (vesafb and ipsec come to my mind).

[pashvin]

If anyone still has that compile error with ftp conntrack, I emerged gentoo-sources 2.4.20-r3 and it's compiled ok with the same modules. Early days but everything seems to be working fine, including iptables.

[nightfr3ak]

i'm having the same problem with make modules as well...so what's the final solution? simply remove realm option?

thanks

[funkmankey]

also ran into the realm error a while ago.

after searching either here or in gooja, I read something about realm having a dependency that was not automatically flagged.

I never ended up having a use for it anyway, just unselected it.

[uzik]

I had a tough time getting iptables to work too. I put it in as built into the kernel. It took a bit to find all the options that were necessary since many of them are NOT obvious. Good luck with it!