Discussion:
kernel 2.6.7-gentoo-r11 and iptables - howto ?
(too old to reply)
oldNbald
2004-08-05 04:26:18 UTC
Permalink
Hello,

After emerging iptables 1.2.9-r4, doing "rc-update add iptables default" and
using genkernel to choose > Networking Option > "Network Packet Filtering",
all that loads at boot is Netfilter. Guess that's because I can't configure
iptables (at this stage of my Linux growth I still need a front end).

Trying to correct that I emerged Firestarter (0.9.2-r1).Executing the
command firestarter (as root), CLI echoes these messages:

bash-2.05b# firestarter
NETFILTER detected
FATAL: Module ip_tables not found.
FATAL: Module ip_conntrack not found.
FATAL: Module ip_conntrack_ftp not found.
FATAL: Module ip_conntrack_irc not found.
FATAL: Module ipt_REJECT not found.
FATAL: Module ipt_REDIRECT not found.
FATAL: Module ipt_TOS not found.
FATAL: Module ipt_MASQUERADE not found.
FATAL: Module ipt_LOG not found.
FATAL: Module iptable_mangle not found.
FATAL: Module iptable_nat not found.
FATAL: Module ip_tables not found.
iptables v1.2.9: can't initialize iptables table `filter': iptables who? (do
you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.

So, I did insmod iptables and got ...
insmod: can't read 'iptables': No such file or directory

I've Gooogled myself to frustration but have been unsuccessful configuring
or loading iptables. Anyone able to assist me getting the firewall working?

Thank you for your time !
--
oNb
Another happy Linux user - # 276084.
Reject religion ! Embrace Jesus Christ.
Linux help source | www.linuxquestions.org
nunya
2004-08-04 21:48:23 UTC
Permalink
Post by oldNbald
Hello,
After emerging iptables 1.2.9-r4, doing "rc-update add iptables default"
and using genkernel to choose > Networking Option > "Network Packet
Filtering", all that loads at boot is Netfilter. Guess that's because I
can't configure iptables (at this stage of my Linux growth I still need a
front end).
Trying to correct that I emerged Firestarter (0.9.2-r1).Executing the
bash-2.05b# firestarter
NETFILTER detected
FATAL: Module ip_tables not found.
FATAL: Module ip_conntrack not found. FATAL: Module ip_conntrack_ftp not
found. FATAL: Module ip_conntrack_irc not found. FATAL: Module ipt_REJECT
not found.
FATAL: Module ipt_REDIRECT not found. FATAL: Module ipt_TOS not found.
FATAL: Module ipt_MASQUERADE not found. FATAL: Module ipt_LOG not found.
FATAL: Module iptable_mangle not found. FATAL: Module iptable_nat not
found.
FATAL: Module ip_tables not found.
iptables v1.2.9: can't initialize iptables table `filter': iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded. FATAL: Module
ip_tables not found.
So, I did insmod iptables and got ... insmod: can't read 'iptables': No
such file or directory
I've Gooogled myself to frustration but have been unsuccessful configuring
or loading iptables. Anyone able to assist me getting the firewall working?
Thank you for your time !
/etc/init.d/iptables start
iptables save
firestarter
Do your thing
oldNbald
2004-08-05 05:07:46 UTC
Permalink
Post by nunya
/etc/init.d/iptables start
iptables save
firestarter
Do your thing
Thank you for the reply! Here are the outputs (after the first the rest are
expected, but I did them anyway to see):

bash-2.05b# /etc/init.d/iptables start
* Not starting iptables. First create some rules then run
* /etc/init.d/iptables save
bash-2.05b# iptables save
Bad argument `save'
Try `iptables -h' or 'iptables --help' for more information.
bash-2.05b# firestarter
NETFILTER detected
FATAL: Module ip_tables not found ...


BTW, there is no /var/lib/iptables/rules-save. Comments at the conclusion of
emerge (see below) stated there to a be an initscript and I suppose
a /var/.../rules-save also.

OTH in figuring this out:

* This package now includes an initscript which loads and saves
* rules stored in /var/lib/iptables/rules-save
* This location can be changed in /etc/conf.d/iptables
*
* If you are using the iptables initsscript you should save your
* rules using the new iptables version before rebooting.
*
* If you are uprading to a >=2.4.21 kernel you may need to rebuild
* iptables.
*
* !!! ipforwarding is now not a part of the iptables initscripts.
* Until a more permanent solution is implemented adding the following
* to /etc/conf.d/local.start will enable ipforwarding at bootup:
* echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
* Caching service dependencies...
Post by nunya
net-firewall/iptables-1.2.9-r4 merged.
--
oNb
Another happy Linux user - # 276084.
Reject religion ! Embrace Jesus Christ.
Linux help source | www.linuxquestions.org
Freeride
2004-08-04 22:37:16 UTC
Permalink
Post by oldNbald
Post by nunya
/etc/init.d/iptables start
iptables save
firestarter
Do your thing
Thank you for the reply! Here are the outputs (after the first the rest are
bash-2.05b# /etc/init.d/iptables start
* Not starting iptables. First create some rules then run
* /etc/init.d/iptables save
bash-2.05b# iptables save
Bad argument `save'
Try `iptables -h' or 'iptables --help' for more information.
bash-2.05b# firestarter
NETFILTER detected
FATAL: Module ip_tables not found ...
BTW, there is no /var/lib/iptables/rules-save. Comments at the conclusion of
emerge (see below) stated there to a be an initscript and I suppose
a /var/.../rules-save also.
* This package now includes an initscript which loads and saves
* rules stored in /var/lib/iptables/rules-save
* This location can be changed in /etc/conf.d/iptables
*
* If you are using the iptables initsscript you should save your
* rules using the new iptables version before rebooting.
*
* If you are uprading to a >=2.4.21 kernel you may need to rebuild
* iptables.
*
* !!! ipforwarding is now not a part of the iptables initscripts.
* Until a more permanent solution is implemented adding the following
* echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
* Caching service dependencies...
Post by nunya
net-firewall/iptables-1.2.9-r4 merged.
Go rebuild your kernel with netfilter/iptables support.
nunya
2004-08-04 22:52:26 UTC
Permalink
Post by oldNbald
Post by nunya
/etc/init.d/iptables start
iptables save
firestarter
Do your thing
Thank you for the reply! Here are the outputs (after the first the rest
bash-2.05b# /etc/init.d/iptables start
* Not starting iptables. First create some rules then run *
/etc/init.d/iptables save
bash-2.05b# iptables save
Bad argument `save'
Try `iptables -h' or 'iptables --help' for more information. bash-2.05b#
firestarter
NETFILTER detected
FATAL: Module ip_tables not found ...
BTW, there is no /var/lib/iptables/rules-save. Comments at the conclusion
of emerge (see below) stated there to a be an initscript and I suppose a
/var/.../rules-save also.
* This package now includes an initscript which loads and saves * rules
stored in /var/lib/iptables/rules-save * This location can be changed in
/etc/conf.d/iptables *
* If you are using the iptables initsscript you should save your * rules
using the new iptables version before rebooting. *
* If you are uprading to a >=2.4.21 kernel you may need to rebuild *
iptables.
*
* !!! ipforwarding is now not a part of the iptables initscripts. * Until
a more permanent solution is implemented adding the following * to
/etc/conf.d/local.start will enable ipforwarding at bootup: * echo "1"
Post by nunya
/proc/sys/net/ipv4/conf/all/forwarding * Caching service
dependencies...
Post by nunya
net-firewall/iptables-1.2.9-r4 merged.
Should be:
/etc/init.d/iptables save
sorry, forgot wants init script:

/etc/init.d/iptables --help
* ERROR: wrong args. ( --help / --help )

* Usage: iptables { start|stop|save|reload }
* iptables without arguments for full help

Running:
/etc/init.d/iptables | less
will allow you to read the help doc with scroll.

Also, sounds like use of genkernel failed to build all the modules wanted.
I would check into that first, to see if genkernel built them at all,
built them in, or as modules.
cd /usr/src/linux
make menuconfig
Look under:
Device Drivers > Networking support > Networking options > Network packet
filtering (replaces ipchains) > Netfilter configuration

See what is and what is not checked. Then configure a new kernel to
your needs. IMHO genkernel has always been just that ....... a "general"
kernel, not geared specifically to any more than that. May be different
now, such was not the case a very short time ago however. I would also
emerge iptables again after building a new kernel with the needed modules
(or built-ins) just to be sure everything is copacetic.
Then proceed with:

/etc/init.d/iptables start
/etc/init.d/iptables save
firestarter

If there is still a problem, then maybe Firestarter is a problem and
also needs to be rebuilt, needs everything as modules, or some other
weirdness (you did read the docs for firestarter, didn't you?). Been so
long since I have used it myself that I really wouldn't know.
Personally, I have found that Shorewall fits my needs far more effectively
and easier without all the GUI mess. Simple text file editing in simple
and plain english, documented very well. Built-in commands to parse hits,
connections, status, drop an ip in a heartbeat without restarting
firewall, allow an ip again, and more. Just built a new setup
with: 2.6.7-gentoo-r11, iptables, shorewall, mysql, apache, snort, and
acid without any problems on Monday, running just fine and dandy.
HTH
oldNbald
2004-08-05 23:25:49 UTC
Permalink
nunya scratched on a wall the following:

[snipped]
HTH
Yes it does - thanks. Would have replied sooner, yet I have only now
returned from a 275 mile round trip to make some repairs (HVAC/R) for a
client.

After reading what you and Freeride have said, and going over the "How to"
manually build a kernel from the Handbook - I think that is the route I'll
undertake. Some of what you mentioned, "Device Drivers > Networking support
Networking options > Network packet filtering (replaces ipchains) >
Netfilter configuration", isn't even a kernel option.

Good news for me is this install I made /home on a separate partition - all
data will still there for the users as opposed to restoring everthing <g>.

What else causes me to consider a re-build are other errors I've been
dealing with (all kernel related):

nvidia and GLX aren't working
no /dev/dsp
UT2004 fails on those accounts
lm_sensors - no kernel option for "I2c Support"

Thanks again, to both of you, for the input.
--
oNb
Another happy Linux user - # 276084.
Reject religion ! Embrace Jesus Christ.
Linux help source | www.linuxquestions.org
Loading...