View previous topic :: View next topic |
Author |
Message |
Budoka l33t
Joined: 03 Jun 2012 Posts: 777 Location: Tokyo, Japan
|
Posted: Mon Aug 19, 2013 4:19 am Post subject: Can't configure Firewall due to kernel issue? |
|
|
Going crazy.
Before going into details I all want to do is open port 22 or 2222 so that I can ssh into my Gentoo box and it has proven more difficult than it should be.
Issue 1:
I installed UFW and tried the GUI's kcm-ufw, ufw-frontends, as well as Fwbuilder. All of them would not let me activate the firewall (I believe iptables is the underlying firewall) and would also indicate the firewall isn't active. But I noticed no network traffic was coming in or out so checked UFW from the CLI and it was active. If I disable it then traffic resumes so clearly it is working at some level even if the GUI's can't talk to it.
Issue 2:
So I check any messages for UFW or iptables and there are some kernel options that need to be configured. http://wiki.gentoo.org/wiki/Iptables I add them all, recompile, and behaviour is the same. Not even sure if they are even related to the problem to be honest. Anyway, re-install UFW in the hopes that would do something but now when issuing get the error message Quote: |
ERROR: problem running ufw-init
modprobe: FATAL: Module nf_nat_ftp not found.
iptables-restore: line 69 failed
iptables-restore: line 30 failed
iptables-restore: line 31 failed
ip6tables-restore: line 31 failed
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'
Problem running '/etc/ufw/user/user.rules'
Problem running '/etc/ufw/user/user6.rules' |
but strangely enough the firewall is enabled and all network traffic is stopped until I run ufw disable.
Mod probe nf_nat_ftp and get Quote: | modprobe: FATAL: Module nf_nat_ftp not found | .
So now I am trying to find where nf_nat_ftp is in the kernel.
Issue 3:
Can't find it for my life. If I search for it I only get Quote: | Symbol: NF_NAT_FTP [=n] │
│ Type : tristate | which doesn't show any path to where it lives in the config. I found this on Google Quote: | NF_NAT_FTP found in net/netfilter/Kconfig
The configuration item CONFIG_NF_NAT_FTP:
prompt:
type: tristate
depends on: CONFIG_NF_CONNTRACK && CONFIG_NF_NAT
defined in net/netfilter/Kconfig
found in Linux kernels: 3.7–3.10, 3.11-rc+HEAD
modules built: nf_nat_ftp, nf_nat_ftp |
I'm on kernel 3.8.13 so it should be there but I don't have Kconfig anywhere???!!! Once again I am not sure if the fact that this kernel option not being active is the cause of my problem or will solve it because clearly the firewall is activated when I issue the enable command.
I just need a way to open that port. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Mon Aug 19, 2013 8:23 am Post subject: |
|
|
In kernel 3.10.7:
Code: | Symbol: NF_NAT_FTP [=y]
Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NF_CONNTRACK [=y] && NF_NAT [=y] |
Check that "Depends" line carefully. You probably don't have NF_NAT.
UFW is for Ubuntu users I'd recommend Gentoo users to use iptables itself. |
|
Back to top |
|
|
Goverp Advocate
Joined: 07 Mar 2007 Posts: 2004
|
Posted: Mon Aug 19, 2013 8:34 am Post subject: |
|
|
Have you followed the UFW installation insructions - i.e. added the ufw service to the default runlevel?
Also, did you run the configuration checker, /usr/share/ufw/check-requirements, and follow its recommendations?
These are mentioned in the ebuild messages.
UFW needs several kernel netfilter configuration options set; if you miss them, it won't start. One approach is simply to make modules for all the netfilter configuration options, and let UFW load what it wants to meet your particular firewall configuration.
I've used UFW for some time. Apart from needing to keep up with its netfilter requirements, it's been a lot simpler than guessing how to configure iptables et al. _________________ Greybeard |
|
Back to top |
|
|
CleanTestr n00b
Joined: 15 Jan 2013 Posts: 47 Location: somewhere in Rural Nebraska, USA
|
Posted: Wed Aug 21, 2013 7:17 am Post subject: |
|
|
a) Upon emerge ufw, I get:
Code: | * Note: once enabled, ufw blocks also incoming SSH connections by
* default. See README, Remote Management section for more information.
|
b) a quick search of the Internet yields a page which states it can do:
Code: | Status:
activeTo Action From
-------- ------ ----
OpenSSH LIMIT Anywhere
|
That page is blog:UFW with Fail2ban
They'll tell you why you don't want SSH port open for server use. They'll also
tell you how to selectively enable/disable it.
If you wanted to use just iptables w/o ufw,
c) You write:
Quote: | Issue 3:
Can't find it for my life. If I search for it I only get
Quote:
Symbol: NF_NAT_FTP [=n] │
│ Type : tristate
which doesn't show any path to where it lives in the config.
|
The: NF_NAT_FTP [=n] means NAT isn't compiled into the kernel.
Go back and set it to [*] and try again.
Using the tool grep on your kernel config:
zgrep NAT /proc/config.gz
d) Alternatively, since more information is better than less, could you (please)
Code: | emerge wgetpaste
zcat /proc/config.gz > _fool
wgetpaste _fool
|
and put the resulting URL into a [ url = :URL: ] config.gz [ / url ] BBCode? _________________ Stan: A signal? Why didn't you wake me?
790: It was a distress signal. They only lead to trouble, so I always ignore them. --Lexx |
|
Back to top |
|
|
Budoka l33t
Joined: 03 Jun 2012 Posts: 777 Location: Tokyo, Japan
|
Posted: Mon Aug 26, 2013 1:52 am Post subject: |
|
|
CleanTestr wrote: | a) Upon emerge ufw, I get:
Code: | * Note: once enabled, ufw blocks also incoming SSH connections by
* default. See README, Remote Management section for more information.
|
b) a quick search of the Internet yields a page which states it can do:
Code: | Status:
activeTo Action From
-------- ------ ----
OpenSSH LIMIT Anywhere
|
That page is blog:UFW with Fail2ban
They'll tell you why you don't want SSH port open for server use. They'll also
tell you how to selectively enable/disable it.
If you wanted to use just iptables w/o ufw,
c) You write:
Quote: | Issue 3:
Can't find it for my life. If I search for it I only get
Quote:
Symbol: NF_NAT_FTP [=n] │
│ Type : tristate
which doesn't show any path to where it lives in the config.
|
The: NF_NAT_FTP [=n] means NAT isn't compiled into the kernel.
Go back and set it to [*] and try again.
Using the tool grep on your kernel config:
zgrep NAT /proc/config.gz
d) Alternatively, since more information is better than less, could you (please)
Code: | emerge wgetpaste
zcat /proc/config.gz > _fool
wgetpaste _fool
|
and put the resulting URL into a [ url = :URL: ] config.gz [ / url ] BBCode? |
Thanks for all the good info folks. STill struggling with this. Really annoying to tell the truth. I may be a dunce but it really shouldn't be this diffcult to open a port. I am not even on a hardened version of Gentoo so not sure even why it is closed.
Anyway, I would add one thing. What I meant is that I can't find where NF_NAT_FTP lives in the kernel config. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Mon Aug 26, 2013 4:39 am Post subject: |
|
|
You won't find NF_NAT_FTP until you've enabled its prerequisites, e.g. NF_NAT. |
|
Back to top |
|
|
Budoka l33t
Joined: 03 Jun 2012 Posts: 777 Location: Tokyo, Japan
|
Posted: Mon Aug 26, 2013 4:41 am Post subject: |
|
|
PaulBredbury wrote: | You won't find NF_NAT_FTP until you've enabled its prerequisites, e.g. NF_NAT. |
OK. I'll check again. But why isn't it outlined in the iptables wiki? I enabled everything in the kernel that page requested. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Mon Aug 26, 2013 7:11 am Post subject: |
|
|
Probably the wiki is just slightly out-of-date, due to the kernel changing its deps. |
|
Back to top |
|
|
|