| View previous topic :: View next topic |
| Author |
Message |
astor84
Tux's lil' helper
Joined: 06 Feb 2007
Posts: 96
Location: Dallas, Tx
|
 Posted: Sat Jul 23, 2011 8:00 am Post subject: [SOLVED] Shorewall/iptables/IPSet issue |
 |
|
I have been waiting on mainline IPSet capability in the mainline kernel for some time and today installed 2.6.39-r3 on my router, making sure to add in "set match" and "ipset" configuration options. I rebooted and was able to create a large IPSet that I want to use for blacklisting via shorewall.
I then added an entry in /etc/shorewall/blacklist which references this ipset and when I restarted shorewall I get:
| Code: | | ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables |
I tried manually running some of the iptables commands that shorewall appears to be running, but they failed (which is, I assume, what the problem is).
It seems as if iptables doesn't like the command. I get the following:
| Code: |
iptables -t nat -N testchain
iptables --verbose -t filter -A testchain -m set --match-set blacklist src -j DROP
ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set blacklist src
iptables: No chain/target/match by that name.
|
I've been googling and banging my head against the desk for about an hour and a half now. I was hoping an iptables/shorewall guru could help me out here ... any idea what's going on?
Here are the installed package versions:
net-firewall/shorewall-4.4.21
net-firewall/ipset-6.7-r1
net-firewall/iptables-1.4.11.1-r2
Last edited by astor84 on Sat Jul 23, 2011 10:54 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23097
|
| Posted: Sat Jul 23, 2011 6:02 pm Post subject: |
|
|
| I cannot comment on shorewall, but the iptables commands you showed are not consistent. First, you create a new chain in the table nat. Then, you try to append a rule to a chain of the same name in the table filter. Each table has its own namespace, so there is no chain named testchain in the table filter. |
|
| Back to top |
|
|
astor84
Tux's lil' helper
Joined: 06 Feb 2007
Posts: 96
Location: Dallas, Tx
|
| Posted: Sat Jul 23, 2011 6:26 pm Post subject: |
|
|
| Hu wrote: | | I cannot comment on shorewall, but the iptables commands you showed are not consistent. First, you create a new chain in the table nat. Then, you try to append a rule to a chain of the same name in the table filter. Each table has its own namespace, so there is no chain named testchain in the table filter. |
Okay, that gets me closer (from a debugging perspective), but it doesn't explain what shorewall's problem is.  |
|
| Back to top |
|
|
astor84
Tux's lil' helper
Joined: 06 Feb 2007
Posts: 96
Location: Dallas, Tx
|
| Posted: Sat Jul 23, 2011 7:45 pm Post subject: |
|
|
| iptables-1.4.12 hit portage today and appears to have fixed my issue! |
|
| Back to top |
|
|
|
Networking & Security
