View previous topic :: View next topic |
Author |
Message |
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Thu Nov 03, 2016 12:31 am Post subject: Samba and Windows 7 |
|
|
My network has two Gentoo computers, one dual boot Gentoo/XP and one new Win 7 computer. Win 7 sees the XP computer, sees the miniDLNA server on the one Gentoo box, sees all the smart TV's, Roku, and Amazon firestick but does not see SAMBA on any computer although XP does (and does not see the other devices). I've researched on the web, mostly Ubuntu problems and found my SAMBA config should work. samba-3.6.25 is that version not supporting Win7?
Anyone connecting to Windows 7?
Last edited by Tony0945 on Sun Aug 13, 2017 12:07 am; edited 2 times in total |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Thu Nov 03, 2016 10:00 am Post subject: |
|
|
Yes, I have Windows 7 machines in my home network, which consists of a mix of machines running Linux (including Gentoo amd64 and ~amd64), Windows 7, Windows 10, Android, etc. SMB/Samba browsing works fine on all the machines. I use Samba 4, not Samba 3, on the Linux machines. For my home network I just use broadcast NetBIOS name resolution, which works fine if you have up to e.g. 15 Workgroup devices in the network. I allow any machine in the network to participate in Master Browser elections, and those elections also work fine. You can see examples of working smb.conf files and net-fs/samba USE flags in my blog post A correct method of configuring Samba for browsing SMB shares in a home network. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Thu Nov 03, 2016 7:27 pm Post subject: |
|
|
Thank you for your excellent site. I updated Samba on one box. I also changed the workgroup name on the XP computer from the default MsHome to workgroup and as you can see it is visible.
http://dpaste.com/3JHQ28Z I did the same with the Win 7 computer and XP can see it and exchange files but as yet Win7 sees only the XP computer (Casti) and the Gentoo computers do not see the Win 7 computer. |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Fri Nov 04, 2016 10:55 pm Post subject: |
|
|
I don't use Samba 3 as it's outdated, and I recommend you switch all your machines to Samba 4. If you don't want to move to Samba 4, I suppose you could try the following Windows 7 registry edit from a 2009 Microsoft Knowledge Article: Windows 7 and Samba 3 interoperability, but I don't know whether that is still valid or what impact it would have on the other shares. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Princess Nell l33t
Joined: 15 Apr 2005 Posts: 916
|
Posted: Fri Nov 04, 2016 11:06 pm Post subject: |
|
|
+1
Use testparm before and after to see which defaults have changed and update the config accordingly. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Fri Nov 04, 2016 11:19 pm Post subject: |
|
|
I will be moving the other box and use the samba.conf from the other machine as a template with only some name changes.
The problem with upgrading is that samba 4 is that wine requires samba with the winbind flag if samba is used, so I had to recompile wine with -samba which took FOREVER.
I'll follow up on your tip. I'm sure win 7 is the problem:
1. win7 can ping the XP box but neither gentoo box. Gives "no response"
2. the XP box can ping both gentoo boxes and the win7 box.
3. the gentoo boxes can ping everything
4. the gentoo boxes see each other's share and the XP share, but not the win 7 share.
5. the XP box sees all the shares, win 7 and gentoo.
6. the win 7 box sees only the XP share and can exchange files with it.
7. The win7 box sees the miniDLNA server on the gentoo box that has it. It works too.
8. The win7 box does not see the apache web site on the other gentoo box (really strange!). the XP box does and of course the gentoo boxes do also.
9. the win7 box also sees the amazon firestick, the (multiple) Samsung SmartTV's and the Roku. Everything EXCEPT Linux!
EDIT: I can also log in to the win7 box using rdesktop from the gentoo boxes, works even better than with XP. Yet win7 won't admit that the gentoo box exists! |
|
Back to top |
|
|
ct85711 Veteran
Joined: 27 Sep 2005 Posts: 1791
|
Posted: Sat Nov 05, 2016 12:52 am Post subject: |
|
|
One thing you may want to do, to help troubleshoot is turn off the firewall on your windows 7 machines; to help filter out the part of the firewall blocking the traffic.
Note: I am not meaning to keep it disabled, but it's useful to have it off for a little bit to rule that out from affecting it.
If the windows 7 machines are separated by nat from the linux machines, that will also prevent the communication. |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Sat Nov 05, 2016 1:07 am Post subject: |
|
|
Tony0945 wrote: | The problem with upgrading is that samba 4 is that wine requires samba with the winbind flag if samba is used, so I had to recompile wine with -samba which took FOREVER. |
For a typical home network, WINS is not necessary (and so Winbind is not necessary), as Broadcast NetBIOS Name Resolution works fine. If you use Broadcast NetBIOS Name Resolution instead of WINS, Samba does not require the winbind USE flag to be set:
Code: | fitzcarraldo@clevow230ss ~ $ equery uses samba | grep winbind
-winbind |
Therefore I wonder why the WINE ebuild insists on Winbind if WINE is built with USE="samba":
Code: | fitzcarraldo@clevow230ss ~ $ grep winbind /usr/portage/app-emulation/wine/wine-1.9.20.ebuild
samba? ( >=net-fs/samba-3.0.25[winbind] ) |
Perhaps that is a mistake in the WINE ebuild. After all, the Samba ebuild mistakenly insists that Kerberos is installed even when Broadcast NetBIOS Name Resolution is being used, which is certainly unnecessary (Gentoo Bug No. 579088). _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Nov 05, 2016 6:01 am Post subject: |
|
|
Duh! Hit me on the head! Messing with the Windows 7 firewall got me nowhere. The problem was my iptables setup! I list every machine that can connect and drop the rest. This is to prevent unknown code on Roku, firestick or especially Samsung SmartTV's from gaining access. I did not add the new computer's ip address to the ACCEPT list in iptables on either gentoo computer. I modified my script accordingly, ran it, ran /etc/init.d/iptables save and all is well. I can now ping from Win 7 and access the samba shares.
I have updated the second machine to Samba 4. Many thanks to Fitzcarraldo for the scripts on his web page. |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Fri Aug 11, 2017 7:08 pm Post subject: |
|
|
A bit of a 'necro post', but I though it would be useful to mention in case someone searches and finds this thread that, if you are using broadcast NetBIOS name resolution, the firewall in each Linux machine needs an extra rule in order for Samba commands (smbtree, smbclient, nmbclient etc.) to work properly.
For a purely iptables firewall:
Code: | iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns |
Users of UFW should add the following to the end of /etc/ufw/before.rules:
Code: | # The following is needed to enable Samba commands to
# work properly for broadcast NetBIOS name resolution
#
# raw table rules
*raw
:OUTPUT ACCEPT [0:0]
-F OUTPUT
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
COMMIT |
Ref. Prevent Linux firewalls interfering with Samba commands in a home network that uses broadcast NetBIOS name resolution _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Fri Aug 11, 2017 8:28 pm Post subject: |
|
|
Code: | iptables v1.4.21: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded. |
|
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Fri Aug 11, 2017 8:51 pm Post subject: |
|
|
Tony0945 wrote: | Code: | iptables v1.4.21: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded. |
|
Fitzcarraldo's blog wrote: |
Kernel configuration
If you are using a binary-based distribution such as Ubuntu Linux, the kernel will probably have been configured to include the needed modules (CONFIG_IP_NF_RAW=m, CONFIG_IP6_NF_RAW=m and CONFIG_NETFILTER_XT_TARGET_CT=m), and the installation configured to load the modules automatically. However, if you are using a source-based distribution such as Gentoo Linux make sure the kernel configuration includes these three options before you build the kernel, and also add the module names ‘iptable_raw‘ and ‘xt_CT‘ to the module list in the file /etc/conf.d/modules as shown in the example below, so that the modules are loaded at boot:
Code: | modules="r8169 nvidia agpgart fuse bnep rfcomm hidp uvcvideo cifs mmc_block rtsx_pci snd-seq-midi vboxdrv vboxnetadp vboxnetflt iptable_raw xt_CT" |
You can use the following two commands to check if the two modules are loaded:
Code: | user $ sudo lsmod | grep iptable_raw
user $ sudo lsmod | grep xt_CT |
|
_________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Aug 12, 2017 1:52 am Post subject: |
|
|
Thank you again!
Code: | X3 /home/tony # zgrep CONFIG_IP_NF_RAW /proc/config.gz
# CONFIG_IP_NF_RAW is not set |
Does this do more than "iptables -P OUTPUT ACCEPT" ? |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Sat Aug 12, 2017 12:16 pm Post subject: |
|
|
Tony0945 wrote: | Thank you again!
Code: | X3 /home/tony # zgrep CONFIG_IP_NF_RAW /proc/config.gz
# CONFIG_IP_NF_RAW is not set |
Does this do more than "iptables -P OUTPUT ACCEPT" ? |
The rule you mention allows all outgoing traffic. It wouldn't solve the problem with broadcast NetBIOS name resolution.
In simple, two-way flows (conversations), a machine running IPTABLES handles responses to packets it sends using the ESTABLISHED / RELATED rule. However, unlike 'traditional' machine-to-machine two-way flows, Broadcast NetBIOS Name Resolution relies on broadcasts, i.e. the conversation is not two-way it is one-to-many. The machine that issues a NetBIOS broadcast may receive multiple unicast responses from multiple machines on the LAN.
The issue is accepting these incoming NetBIOS responses from the other machines. The initiating machine does not establish two-way flows with every other 'NetBIOS speaking' machine on the LAN and, therefore, does not have corresponding rules to process their responses.
The machine issuing a NetBIOS broadcast invokes the Connection Tracking netbios-ns helper in the OUTPUT chain of the 'raw' table to prepare the firewall to accept incoming responses to the broadcast it has just issued, thereby creating a dynamic, pre-established rule for the responses. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Aug 12, 2017 1:57 pm Post subject: |
|
|
Thanks for the explanation. Samba is mostly working but sometimes is flaky. This may explain why.
This is a section of smb.conf on my file server. (note is from the default conf) Code: | domain master = no
local master = yes
preferred master = yes
; os level = 6 on the other laptop, so I have made it 5 on this laptop.
os level = 5
name resolve order = bcast
wins support = no
dns proxy = no
|
And as on the client machine: Code: | gentoo ~ # zgrep CONFIG_IP_NF_RAW /proc/config.gz
# CONFIG_IP_NF_RAW is not set
| I'll correct the kernel config and firewall script and reboot. |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Sat Aug 12, 2017 2:27 pm Post subject: |
|
|
The excerpt from smb.conf on your file server looks OK, and would work for Broadcast NetBIOS Name Resolution. I know I quoted a low 'os level' for my file server in my original blog post on SMB/Samba, and that does work (it just means there is a new Master Browser every time another machine with a higher os level connects to the network). However, if your file server is always-on (or nearly always) you could, if you want, have 'os level = 255' instead in the file server's smb.conf so that the file server is always the Master Browser (until you discconnect it or power it down, at which point a normal re-election for Master Browser would occur).
I'm not typing this on one of my two Gentoo-running laptops, but I'll boot one up in a few minutes and edit this post to list all the loaded iptables-related modules, just for information.
(By the way, a mixture of Windows versions connects to my network: the family desktop machine runs Windows 10, various family members have laptops running Windows 7 and Windows 10, and of course smartphones and tablets running Android and iOS, plus the occasional visitor with a MacBook running macOS. So this approach is not just for Windows 7, even if you are just using Windows 7 presently.) _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Aug 12, 2017 4:19 pm Post subject: |
|
|
Hmmm! Modules are built and loaded.
But: Code: | gentoo ~ # iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
iptables: No chain/target/match by that name. |
The results of iptables -L: Code: | gentoo ~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpt:auth flags:FIN,SYN,RST,ACK/SYN reject-with tcp-reset
ACCEPT icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:domain state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:8200
ACCEPT udp -- anywhere anywhere udp dpt:1900
ACCEPT all -- Casti.MsHome anywhere
ACCEPT all -- Windoze.MsHome anywhere
ACCEPT all -- www.tonysegredo.net anywhere
ACCEPT all -- X3.MsHome anywhere
ACCEPT all -- 192.168.0.105 anywhere
ACCEPT all -- k6.MsHome anywhere
ACCEPT all -- 192.168.0.108 anywhere
ACCEPT all -- biostar-wired anywhere
ACCEPT all -- biostar anywhere
ACCEPT all -- router all-systems.mcast.net
ACCEPT all -- router 255.255.255.255
DROP all -- anywhere 239.255.255.250
DROP all -- 0.0.0.0 255.255.255.255
logdrop all -- anywhere anywhere ctstate NEW
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain logdrop (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix "DROP: "
DROP all -- anywhere anywhere
|
That second rule doesn't look right.
lsmod output at https://paste.pound-python.org/show/TJizBBzy16umsonxknjU/
[Moderator edit: fixed url tag. -Hu] |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Aug 12, 2017 4:56 pm Post subject: |
|
|
Quote: | [Moderator edit: fixed url tag. -Hu] |
Thanks, Hu. Do you think this thread should be maybe split? |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Sat Aug 12, 2017 6:27 pm Post subject: |
|
|
Looks like you need to load the conntrack modules.
NAS running Ubuntu
(I have not rebuilt the Ubuntu kernel; this is the pre-canned version, i.e. everything enabled but the kitchen sink.)
These are the firewall-related modules actually loaded:
Code: | ip_tables CONFIG_IP_NF_IPTABLES=m
iptable_filter CONFIG_IP_NF_FILTER=m
iptable_nat CONFIG_NF_NAT=m
iptable_raw CONFIG_IP_NF_RAW=m
multipath CONFIG_IP_ROUTE_MULTIPATH=m
nf_conntrack CONFIG_NF_CONNTRACK=m
nf_conntrack_broadcast CONFIG_NF_CONNTRACK_BROADCAST=m
nf_conntrack_ipv4 CONFIG_NF_CONNTRACK_IPV4=m
nf_conntrack_netbios_ns CONFIG_NF_CONNTRACK_NETBIOS_NS=m
nf_defrag_ipv4 CONFIG_NF_DEFRAG_IPV4=m
nf_log_common CONFIG_NF_LOG_COMMON=m
nf_log_ipv4 CONFIG_NF_LOG_IPV4=m
nf_nat CONFIG_NF_NAT=m
nf_nat_ipv4 CONFIG_NF_NAT_IPV4=m
x_tables CONFIG_NETFILTER_XTABLES=m
xt_CT CONFIG_NETFILTER_XT_TARGET_CT=m
xt_LOG CONFIG_NETFILTER_XT_TARGET_LOG=m
xt_conntrack CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
xt_limit CONFIG_NETFILTER_XT_MATCH_LIMIT=m
xt_tcpudp CONFIG_NETFILTER_XTABLES=m |
Here is the kernel configuration, firewall-wise:
Code: | $ grep CONFIG_IP_ /boot/config-4.2.0-27-generic | grep -v ^#
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_FIB_TRIE_STATS=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_CLASSID=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_IP_SET=m
CONFIG_IP_SET_MAX=256
CONFIG_IP_SET_BITMAP_IP=m
CONFIG_IP_SET_BITMAP_IPMAC=m
CONFIG_IP_SET_BITMAP_PORT=m
CONFIG_IP_SET_HASH_IP=m
CONFIG_IP_SET_HASH_IPMARK=m
CONFIG_IP_SET_HASH_IPPORT=m
CONFIG_IP_SET_HASH_IPPORTIP=m
CONFIG_IP_SET_HASH_IPPORTNET=m
CONFIG_IP_SET_HASH_MAC=m
CONFIG_IP_SET_HASH_NETPORTNET=m
CONFIG_IP_SET_HASH_NET=m
CONFIG_IP_SET_HASH_NETNET=m
CONFIG_IP_SET_HASH_NETPORT=m
CONFIG_IP_SET_HASH_NETIFACE=m
CONFIG_IP_SET_LIST_SET=m
CONFIG_IP_VS=m
CONFIG_IP_VS_IPV6=y
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_AH_ESP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_PROTO_SCTP=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_FO=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_SH_TAB_BITS=8
CONFIG_IP_VS_FTP=m
CONFIG_IP_VS_NFCT=y
CONFIG_IP_VS_PE_SIP=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_SYNPROXY=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_SECURITY=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP_DCCP=m
CONFIG_IP_SCTP=m
$ grep CONFIG_IP4 /boot/config-4.2.0-27-generic | grep -v ^#
$ grep CONFIG_IP6 /boot/config-4.2.0-27-generic | grep -v ^#
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_RPFILTER=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_TARGET_SYNPROXY=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP6_NF_SECURITY=m
CONFIG_IP6_NF_NAT=m
CONFIG_IP6_NF_TARGET_MASQUERADE=m
CONFIG_IP6_NF_TARGET_NPT=m
$ grep CONFIG_NF_ /boot/config-4.2.0-27-generic | grep -v ^#
CONFIG_NF_CONNTRACK=m
CONFIG_NF_LOG_COMMON=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_LABELS=y
CONFIG_NF_CT_PROTO_DCCP=m
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_CT_PROTO_SCTP=m
CONFIG_NF_CT_PROTO_UDPLITE=m
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_SNMP=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_CT_NETLINK_TIMEOUT=m
CONFIG_NF_CT_NETLINK_HELPER=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_PROTO_DCCP=m
CONFIG_NF_NAT_PROTO_UDPLITE=m
CONFIG_NF_NAT_PROTO_SCTP=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_REDIRECT=m
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_INET=m
CONFIG_NF_TABLES_NETDEV=m
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_TABLES_IPV4=m
CONFIG_NF_TABLES_ARP=m
CONFIG_NF_LOG_ARP=m
CONFIG_NF_LOG_IPV4=m
CONFIG_NF_REJECT_IPV4=m
CONFIG_NF_NAT_IPV4=m
CONFIG_NF_NAT_MASQUERADE_IPV4=m
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_CONNTRACK_IPV6=m
CONFIG_NF_TABLES_IPV6=m
CONFIG_NF_REJECT_IPV6=m
CONFIG_NF_LOG_IPV6=m
CONFIG_NF_NAT_IPV6=m
CONFIG_NF_NAT_MASQUERADE_IPV6=m
CONFIG_NF_TABLES_BRIDGE=m
CONFIG_NF_LOG_BRIDGE=m
$ grep CONFIG_NETFILTER /boot/config-4.2.0-27-generic | grep -v ^#
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_QUEUE_CT=y
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
CONFIG_NETFILTER_XT_MATCH_L2TP=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
$ grep CONFIG_XT /boot/config-4.2.0-27-generic | grep -v ^#
$ |
W230SS laptop running Gentoo
These are the firewall-related modules actually loaded:
Code: | ip6t_rt CONFIG_IP6_NF_MATCH_RT=m
iptable_raw CONFIG_IP_NF_RAW=m
nf_conntrack CONFIG_NF_CONNTRACK=m
nf_conntrack_broadcast CONFIG_NF_CONNTRACK_BROADCAST=m
nf_conntrack_ftp CONFIG_NF_CONNTRACK_FTP=m
nf_conntrack_ipv4 CONFIG_NF_CONNTRACK_IPV4=m
nf_conntrack_ipv6 CONFIG_NF_CONNTRACK_IPV6=m
nf_conntrack_netbios_ns CONFIG_NF_CONNTRACK_NETBIOS_NS=m
nf_defrag_ipv4 CONFIG_NF_DEFRAG_IPV4=m
nf_defrag_ipv6 CONFIG_NF_DEFRAG_IPV6=m
nf_log_common CONFIG_NF_LOG_COMMON=m
nf_log_ipv4 CONFIG_NF_LOG_IPV4=m
nf_log_ipv6 CONFIG_NF_LOG_IPV6=m
nf_nat CONFIG_NF_NAT=m
nf_nat_ftp CONFIG_NF_NAT_FTP=m
xt_CT CONFIG_NETFILTER_XT_TARGET_CT=m
xt_LOG CONFIG_NETFILTER_XT_TARGET_LOG=m
xt_conntrack CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m |
This is in the kernel configuration, but the module is not actually loaded (I should probably get around to adding it to the list in /etc/conf.d/modules):
Code: | CONFIG_NF_NAT_IPV4=m |
In the NAS these are built as modules, but in the Clevo laptop I have built them into the kernel (for no special reason):
Code: | CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y |
Here is the kernel configuration, firewall-wise:
Code: | $ grep CONFIG_IP_ /usr/src/linux/.config | grep -v ^#
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_RAW=m
$ grep CONFIG_IP4 /usr/src/linux/.config | grep -v ^#
$ grep CONFIG_IP6 /usr/src/linux/.config | grep -v ^#
CONFIG_IP6_NF_IPTABLES=y
CONFIG_IP6_NF_MATCH_IPV6HEADER=y
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_REJECT=y
CONFIG_IP6_NF_MANGLE=y
CONFIG_IP6_NF_RAW=m
$ grep CONFIG_NF_ /usr/src/linux/.config | grep -v ^#
CONFIG_NF_CONNTRACK=m
CONFIG_NF_LOG_COMMON=m
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_FTP=m
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_LOG_ARP=m
CONFIG_NF_LOG_IPV4=m
CONFIG_NF_REJECT_IPV4=y
CONFIG_NF_NAT_IPV4=m
CONFIG_NF_NAT_MASQUERADE_IPV4=m
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_CONNTRACK_IPV6=m
CONFIG_NF_REJECT_IPV6=y
CONFIG_NF_LOG_IPV6=m
$ grep CONFIG_NETFILTER /usr/src/linux/.config | grep -v ^#
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HL=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_NETFILTER_XT_MATCH_POLICY=y
CONFIG_NETFILTER_XT_MATCH_RECENT=y
CONFIG_NETFILTER_XT_MATCH_STATE=m
$ grep CONFIG_XT /usr/src/linux/.config | grep -v ^#
$ |
_________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21624
|
Posted: Sat Aug 12, 2017 8:49 pm Post subject: |
|
|
Tony0945 wrote: | Quote: | [Moderator edit: fixed url tag. -Hu] |
Thanks, Hu. Do you think this thread should be maybe split? | From a quick scan of the posts, it looks like you're the only one reporting problems in this thread and all other posters are trying to help, so I'll defer to your preference on whether to keep it together or split it out. (If we had several users requesting assistance in a single thread, that would argue strongly for splitting if the problems were not duplicate reports of a single issue, but since this thread is for your benefit, I leave it up to you.) If you want it split, please suggest which posts need to be moved to a separate thread. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sun Aug 13, 2017 12:06 am Post subject: |
|
|
Hu wrote: | [From a quick scan of the posts, it looks like you're the only one reporting problems in this thread and all other posters are trying to help, so I'll defer to your preference on whether to keep it together or split it out. (If we had several users requesting assistance in a single thread, that would argue strongly for splitting if the problems were not duplicate reports of a single issue, but since this thread is for your benefit, I leave it up to you.) If you want it split, please suggest which posts need to be moved to a separate thread. |
I'll just edit out the "solved". |
|
Back to top |
|
|
|