| View previous topic :: View next topic |
| Author |
Message |
Gripp
Tux's lil' helper
Joined: 02 Mar 2005
Posts: 99
|
 Posted: Wed Mar 23, 2005 5:38 am Post subject: |
 |
|
ok, i've worked through what help i can find... but now i get a new error:
| Code: | /lib/modules/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: /lib/module s/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_u nregister_sockopt
/lib/modules/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: /lib/module s/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_r egister_sockopt
/lib/modules/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib /modules/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do yo u need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
|
also:
| Code: | # find * | xargs grep nf_unregister
Binary file ip_conntrack.o matches
Binary file ip_tables.o matches
Binary file iptable_filter.o matches
Binary file iptable_nat.o matches |
ii can't really say i have tried much outside of simply searching....
this problem to be a commonly ignored problem...
the only answer i have found was basically that this issue arises with the 2.6 kernel, and to reinstall 2.4... but i have 2.4 already....
oh, and yes, my kernel is configured (to the best of my knowledge) correcty |
|
| Back to top |
|
 |
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Wed Mar 23, 2005 2:04 pm Post subject: |
|
|
Post the output of this command: | Code: | | cat /usr/src/linux/.config | grep FILTER |
It should look something like this: | Code: | CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
# CONFIG_FILTER is not set |
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
Tipycol
n00b
Joined: 08 Jan 2005
Posts: 9
|
| Posted: Thu Mar 24, 2005 12:02 am Post subject: |
|
|
Shorewall doesn't start for me. I /etc/init.d/shorewall start and just get | Code: | | * Starting firewall... [ !! ] |
and there's nothing in shorewall logwatch or syslog. I'm pretty sure I did everything in the instructions, is there something else I have to do to get it started? (I'm using amd64 btw) |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Thu Mar 24, 2005 1:07 am Post subject: |
|
|
| Tipycol wrote: | Shorewall doesn't start for me. I /etc/init.d/shorewall start and just get | Code: | | * Starting firewall... [ !! ] |
and there's nothing in shorewall logwatch or syslog. I'm pretty sure I did everything in the instructions, is there something else I have to do to get it started? (I'm using amd64 btw) |
Try starting shorewall manually as root with shorewall start, and post any errors it gives you.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
Tipycol
n00b
Joined: 08 Jan 2005
Posts: 9
|
| Posted: Thu Mar 24, 2005 1:33 am Post subject: |
|
|
| Ah didn't set shorewall to start in /etc/shorewall/shorewall.conf, or defined the zones in /etc/shorewall/zones. Everything's working fine now. Thanks Sith_Happens |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Thu Mar 24, 2005 2:22 am Post subject: |
|
|
| Tipycol wrote: | | Ah didn't set shorewall to start in /etc/shorewall/shorewall.conf, or defined the zones in /etc/shorewall/zones. Everything's working fine now. Thanks Sith_Happens |
Sure thing, glad it was something simple. Did your confusion result from something in the tutorial that can be made clearer? If so I would be interested to know what.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
Silent1Mark
n00b
Joined: 30 Apr 2004
Posts: 70
|
| Posted: Thu Mar 24, 2005 4:16 am Post subject: |
|
|
If any one is using Gaim
You need to add the folllwing rules to get it working. Or atleast I had to
tcp port 1863 for MSN protocol, I got tis info from http://www.hypothetic.org/docs/msn/general/connections.php
tcp port 5190 for AIM and ICQ ( who else still has a 6 digit ICQ number? ) THat one is on the shorewall hoem page and in the tutrotial
getting Yahoo to work takes more than a " smile and Handshake "
You have to look under your Tools > Accounts > (Yahoo account) > Modify > Show more options >
And then take a look at what port it's using, Mine says port 5050 and it works , the " known ports " it uses are 20 23 25 80 119 5050 8001 8002
That information was posted on http://gaim.sourceforge.net/faq.php#q63
Hope this Helps. |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Thu Mar 24, 2005 4:47 am Post subject: |
|
|
Thanks for the info Silent1Mark, it's much appreciated. 
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
clameo
n00b
Joined: 30 Mar 2005
Posts: 11
|
| Posted: Wed Mar 30, 2005 9:11 pm Post subject: |
|
|
| Code: |
/etc/init.d/iptables start
* Loading iptables state and starting firewall...
* Restoring iptables ruleset [ ok ]
user iptables # rc-update add shorewall default && /etc/init.d/shorewall start
* shorewall already installed in runlevel default; skipping
* Starting firewall...
Warning: Zone loc is empty
Warning: Zone dmz is empty
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
/sbin/runscript.sh: line 532: 10647 Terminated /sbin/shorewall start >/
|
How can I solve this problem? |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Wed Mar 30, 2005 9:20 pm Post subject: |
|
|
| clameo wrote: | | Code: |
/etc/init.d/iptables start
* Loading iptables state and starting firewall...
* Restoring iptables ruleset [ ok ]
user iptables # rc-update add shorewall default && /etc/init.d/shorewall start
* shorewall already installed in runlevel default; skipping
* Starting firewall...
Warning: Zone loc is empty
Warning: Zone dmz is empty
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
/sbin/runscript.sh: line 532: 10647 Terminated /sbin/shorewall start >/
|
How can I solve this problem? |
Are you sure you followed the kernel configuration section correctly? Post the output of cat /usr/src/linux/.config | grep FILTER.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
Johnyp
Guru
Joined: 23 Mar 2005
Posts: 301
|
| Posted: Wed Mar 30, 2005 10:19 pm Post subject: |
|
|
I wonder why you needed to specify same rules twice (for tcp and UDP). As far as i know ( and i may be wrong) - all of those use TCP. Could you clarify or correct me?
Also - as i understand those are the rules for dropping all trafic from outside and allowing traffic from the inside to those specific services.
So, if one wanted to run web server, ftp and ssh on the machine running Shorewall they would have to use something like , right?
| Code: |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) Service
ACCEPT net fw tcp 80 #http
ACCEPT net fw tcp 21 #ftp
ACCEPT net fw tcp 22 #ssh |
Thanks
Last edited by Johnyp on Wed Mar 30, 2005 10:34 pm; edited 2 times in total |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Wed Mar 30, 2005 10:31 pm Post subject: |
|
|
| Johnyp wrote: | I wonder why you needed to specify same rules twice (for tcp and UDP). As far as i know ( and i may be wrong) - all of those use TCP. Could you clarify or correct me?
Thanks |
No your right, I'm just covering all the bases.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
Johnyp
Guru
Joined: 23 Mar 2005
Posts: 301
|
| Posted: Wed Mar 30, 2005 10:37 pm Post subject: |
|
|
| Cool. Nice tutorial man, just used it to setup my server. It helps when others write down what they know in a way that is easy to read and understand. |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Wed Mar 30, 2005 10:55 pm Post subject: |
|
|
| Johnyp wrote: | | Cool. Nice tutorial man, just used it to setup my server. It helps when others write down what they know in a way that is easy to read and understand. |
Exactly my point, I'm glad it came across that way. 
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
Johnyp
Guru
Joined: 23 Mar 2005
Posts: 301
|
| Posted: Wed Mar 30, 2005 11:20 pm Post subject: |
|
|
Here is a question for you:
I have a ping running against the gentoo box where i've just installed Shorewall ( i get replies ). Ping is going through, Shorewall has never been started on this machine. I start shorewall - i get "destination unreachable" to my pings. At this point everything is working correctly. Now - if i STOP shorewall - icmp is still droped as if the Shorewall is running, but it's not!
What happened to the icmp then? |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Wed Mar 30, 2005 11:25 pm Post subject: |
|
|
| Johnyp wrote: | Here is a question for you:
I have a ping running against the gentoo box where i've just installed Shorewall. Ping is going through, Shorewall has never been started on this machine. I start shorewall - i get no destination unreachable to my pings. At this point everything is working correctly. Now - if i STOP shorewall - icmp is still droped as if the Shorewall is running, but it's not!
What happened to the icmp then? |
Yeah, I get this with shorewall as well. When you start shorewall, it configures iptables, however when you stop shorewall, it doesn't seem to flush all the ipchains rules. Try running this after stopping shorewall:See if that fixes the problem
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
Johnyp
Guru
Joined: 23 Mar 2005
Posts: 301
|
| Posted: Wed Mar 30, 2005 11:37 pm Post subject: |
|
|
Hmm... no. In fact - it drops all the communications (including existing SSH to the box, and even traffic originated from gentoo box to the outside machine). Just completely kills the network. If after this i start shorewall and run ping on gentoo box going to the outside - i get "operation not permited. x.x.x.x host is unreachable"
My rule set is very close to this. But only SSH is actually started on the box.
| Code: |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) Service
ACCEPT net fw tcp 80 #http
ACCEPT net fw tcp 21 #ftp
ACCEPT net fw tcp 22 #ssh |
1) update
it seems as the only way to get back the networking is to reboot the box. I would rather restart a service or 2 when i need to reapply rules, than restart the whole box.
2) UPDATE
Ok, when you stop shorewall and you want to have the machine wide open for bidirectional communications - run | Code: | | /etc/init.d/shorewall clear |
This will flush all the rules. Otherwise firewall is stopped - but due to security reasons, it blocks all traffic rather than makes machine wide open to attacks. I guess this is good in case the firewall crashes/drops for some reason.
Last edited by Johnyp on Wed Mar 30, 2005 11:51 pm; edited 1 time in total |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Wed Mar 30, 2005 11:51 pm Post subject: |
|
|
I'd like to thank you for bringing this to my attention, otherwise I probably never would have figured this out. We are all learning.  . Check this out: | Code: | #
Shorewall is stopped using the shorewall stop command.
Important
The shorewall stop command does not remove all netfilter rules and open your firewall for all traffic to pass. It rather places your firewall in a safe state defined by the contents of your /etc/shorewall/routestopped file and the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf.
#
|
Setting some rules in /etc/shorewall/routestopped would be a good idea as well.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
clameo
n00b
Joined: 30 Mar 2005
Posts: 11
|
| Posted: Thu Mar 31, 2005 3:33 am Post subject: |
|
|
| Sith_Happens wrote: | | Are you sure you followed the kernel configuration section correctly? Post the output of cat /usr/src/linux/.config | grep FILTER. |
| Code: |
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
# CONFIG_PPP_FILTER is not set
|
I recompiled my kernel with genkernel... |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Thu Mar 31, 2005 7:22 pm Post subject: |
|
|
| clameo wrote: | | Sith_Happens wrote: | | Are you sure you followed the kernel configuration section correctly? Post the output of cat /usr/src/linux/.config | grep FILTER. |
| Code: |
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
# CONFIG_PPP_FILTER is not set
|
I recompiled my kernel with genkernel... |
Ah, it looks like your using a 2.4 kernel, run cat /usr/src/linux/.config | grep IPTABLES. I thought that the defaualt when netfilter was selected was to compile in iptables support, perhaps I was wrong. If so I'll have to update the tutorial.
EDIT: Tutorial updated, check to make sure your kernel is configured with IP tables support as per the updated tutorial.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
clameo
n00b
Joined: 30 Mar 2005
Posts: 11
|
| Posted: Sat Apr 02, 2005 7:43 pm Post subject: |
|
|
| I got everything running, but how can I get amule working, I mean I opened tcp 4662 & udp 4672, but I can't connect to server. Any ideas? |
|
| Back to top |
|
|
deepHomer
n00b
Joined: 06 Apr 2005
Posts: 6
|
| Posted: Sun Apr 10, 2005 2:22 pm Post subject: |
|
|
| clameo wrote: | | I got everything running, but how can I get amule working, I mean I opened tcp 4662 & udp 4672, but I can't connect to server. Any ideas? |
From info in the FAQ eD2K-Kademlia I tried these settings that seem to work:
| Code: | #ACTION SOURCE DEST PROTO DEST PORT
ACCEPT fw net tcp 4661 #for amule -- connection to server
ACCEPT net fw tcp 4661 #for amule -- connection to server -- Required for HighID?
ACCEPT fw net tcp 4662 #for amule -- client to client xfers
ACCEPT net fw tcp 4662 #for amule -- client to client xfers
ACCEPT fw net udp 4665 #for amule -- global search queries
ACCEPT fw net udp 4672 #for amule -- Extended eMule protocol
ACCEPT fw net tcp 4711 #for amule -- WebServer listening port |
But other than being able to download/upload, I don't know what the security implications are for these settings. If you can come up with a smaller set, please post.
BTW, thank you Sith_Happens for your efforts in tutoring us n00bs. |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Sun Apr 10, 2005 3:01 pm Post subject: |
|
|
I don't know too much about how amule works, however p2p file sharing progs are going to want a two way connection like that to upload and download files. As far as security implications, your going to need to allow some access from the net if you want to use a filesharing program, that's just a fact of life. Really the best advice I can give you is to watch for security updates for amule, that way you can fix any vulneribilities in it before somebody xfers your system into oblivion.  If you wanted to make a smaller set cosmetically you could combine the two net->fw rules together like so: | Code: | | ACCEPT net fw tcp 4661:4662 |
This way, when you are not using amule, you can just comment out this line and restart shorewall (using /etc/init.d/shorewall restart), which will close off the unneccessary open ports. Then just delete the comment, and restart shorewall if you want to use amule.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
tomvollerthun
Guru
Joined: 19 Mar 2005
Posts: 316
|
| Posted: Thu Apr 14, 2005 5:59 pm Post subject: |
|
|
Unfortunately I configured my shorewall before you created the howto, which is really a shame, because it would have saved me some time: I think it is really good.
I got amule working with normal ID and everything by just adding to the rules
| Code: | | ACCEPT net fw tcp 4662 |
But I have as well in my policy file:
because I wanted to be "just able" to connect.
Greetings, tom
_________________
Computer science is no more about computers than astronomy is about telescopes.
Dijsktra
---------------
Don't believe my "Guru" status! |
|
| Back to top |
|
|
big_D
n00b
Joined: 14 Apr 2005
Posts: 40
Location: UK
|
| Posted: Thu Apr 14, 2005 8:53 pm Post subject: |
|
|
I've followed your tutorial - Shorewall seems to start up fine, with no errors, thanks.
I'm probably missing something really obvious, but when I visit your link to check the firewall all the ports (bar 21, 23 & 80) are closed rather than stealthed.
I've set /etc/shorewall/policy as you indicated - where else should I look for info? |
|
| Back to top |
|
|
|
Networking & Security
