View previous topic :: View next topic |
Author |
Message |
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2365 Location: Kentucky
|
Posted: Tue May 02, 2023 5:11 pm Post subject: old firewall script no longer works -- SOLVED |
|
|
I just had my gateway firewall/router machine die.
I replaced the ancient machine with a new one, but the ancient (many years old) firewall script doesn't work with the new up to date machine's version of iptables.
It cannot find the 'nat' table, and it cannot find the 'LOG' extension.
I am temporarilu connected via wifi to get on the internat to ask this question, so I cannot copy/paste the exact error message iptables is giving me, but in both cases, it mentions something about a missing kernel module.
Can anybody hep me get this working? _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character.
Last edited by Moriah on Thu May 04, 2023 2:39 am; edited 1 time in total |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21624
|
Posted: Tue May 02, 2023 5:58 pm Post subject: |
|
|
The kernel module message is likely the explanation. Both the nat table and the LOG target are optional kernel features. You may not have them enabled in your new kernel. I believe you want at least NF_NAT=y, IP_NF_NAT=y, and probably NF_NAT_MASQUERADE=y to solve the nat error. You probably want NF_LOG_IPV4=y for the LOG target. If adding those does not work, post back and someone can research this for you. Those names are picked from memory. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2365 Location: Kentucky
|
Posted: Tue May 02, 2023 8:51 pm Post subject: |
|
|
Thanks! I'll give it a try later tonight and post back either way.
This is my gateway firewall, so it does static nat for the dmz. I have a separate choke firewall that does masquerade from the lan to the dmz, and then the choke gets static natted to the internet thru the gateway firewall. Therefore, I do not need masquerade on this firewall, only static nat.
Can I build these kernel features as loadable modules, or do I need to build an entirely new kernel? _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21624
|
Posted: Tue May 02, 2023 9:23 pm Post subject: |
|
|
Sometimes you can just build a module, but that is not guaranteed to work. I do not know whether it will work in this particular case. If it fails, the typical failure mode is that the module can be built, but cannot be loaded due to missing symbols, so it is usually safe to try this. At worst, you will need to go back and do a full kernel build instead when the module approach fails to load. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2365 Location: Kentucky
|
Posted: Tue May 02, 2023 10:04 pm Post subject: |
|
|
Looking more closely at the output from the firewall script, I see DNAT, SNAT, and MASQUERADE are all complained about, so maybe I do need masquerade. I am assuming DNAT and SNAT are destination and source NAT, if my memory serves me. Do you have additional suggestions to handle these? _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21624
|
Posted: Wed May 03, 2023 12:55 am Post subject: |
|
|
I did not, but I checked the kernel source for you. Those appear to be implemented in net/netfilter/xt_nat.c. net/netfilter/Makefile will build net/netfilter/xt_nat.c if CONFIG_NETFILTER_XT_NAT is enabled. I think enabling that will provide both SNAT and DNAT for you. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2365 Location: Kentucky
|
Posted: Wed May 03, 2023 5:23 pm Post subject: |
|
|
So I built the kernel. Using make menuconfig it was easy, and looks like everthing I needed was included.
Now I need to get the fancy pantsie new grub to boot it!
I have always used the classic grub. It was very easy to setup the boot menu and choose which kernel got auto-booted after a timeout.
This new grub looks like it was designed by a committee at the united nations! GOOD GREIF!
Why is this so complicated? When I installed the initial kernel, it "just worked" with the new grub, but after make install, the new kernel does not even show up on the boot menu, and it still boots the old kernel.
How do I tell grub which kernel to boot. Since this is my gateway firewall, I need it to reboot itself on pwer-up after a power failure, so the new kernel needs to be the default kernel.
Oh yes, I guess I should mention that I do use a custom initrd also, since / is on an lvm volume.
BTW Thanks for all the help so far. Its been a long time since I needed to set up a new machine. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21624
|
Posted: Wed May 03, 2023 5:57 pm Post subject: |
|
|
I cannot help you with grub2, as I switched to syslinux when grub1 became deprecated. I suggest opening a new thread about your bootloader issue, since people who know grub2 may not come into a thread about firewall issues. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 365
|
Posted: Wed May 03, 2023 6:09 pm Post subject: |
|
|
Moriah wrote: |
When I installed the initial kernel, it "just worked" with the new grub, but after make install, the new kernel does not even show up on the boot menu, and it still boots the old kernel.
|
Did you regenerate the grub.cfg?
Moriah wrote: |
How do I tell grub which kernel to boot. Since this is my gateway firewall, I need it to reboot itself on pwer-up after a power failure, so the new kernel needs to be the default kernel.
|
If you have regenerated the grub.cfg and the "wrong" option is at the first position, you can specify another boot entry with the
variable inside the file /etc/default/grub and then you need to regenerate the grub.cfg:
Code: | grub-mkconfig -o /boot/grub/grub.cfg |
|
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2365 Location: Kentucky
|
Posted: Wed May 03, 2023 6:34 pm Post subject: |
|
|
First, thank you HU for the help on the kernel and firewall issues. as you can see, I got a response to the grub issue here anyway, so I will persue that and see if I can get this thing to boot the righjt kernel.
sMueggli:
I just tried this, with the following negative result:
Code: |
jacob ~ # cd /
jacob / # grub-mkconfig -o /boot/grub/grub.cfg
/usr/sbin/grub-probe: error: failed to get canonical path of `/dev/gentoo/rootfs'.
jacob / #
|
It looks like grub-mkconfig doesn't like the fact that my root filesystem is on an lvm volume...
Any suggestions? _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 365
|
Posted: Wed May 03, 2023 7:17 pm Post subject: |
|
|
I see the "failed to get canonical path" error normally, when people are executing the command from a live cd and not from inside the chroot. But this should not be your problem.
I am using also LVM and do not have problems with grub. I assume you installed grub with the "device-mapper" USE flag?
In the discussion https://unix.stackexchange.com/questions/96977/grub-probe-error-failed-to-get-canonical-path-of-cow there is one comment that indicates some problem with "realpath".
You can check with
Code: | realpath /dev/gentoo/rootfs
ls -l /dev/gentoo/rootfs |
|
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2365 Location: Kentucky
|
Posted: Wed May 03, 2023 9:57 pm Post subject: |
|
|
Apparently the 'device-mapper' USE flag is not in /etc/portage/make.conf and there is no /etc/portage/package.use entry for sys-boot/grub either. So where do I put the USE flag? In make.conf or package.use/grub ?
Code: |
jacob / # emerge -pv sys-boot/grub
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 24.25 s.
[ebuild R ] sys-boot/grub-2.06-r6:2/2.06-r6::gentoo USE="fonts nls sdl themes truetype -device-mapper -doc -efiemu -libzfs -mount (-test)" GRUB_PLATFORMS="pc -coreboot -efi-32 -efi-64 -emu -ieee1275 (-loongson) -multiboot -qemu (-qemu-mips) -uboot -xen -xen-32 -xen-pvh" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
jacob / #
|
So it is obviously missing the device-mapper USE flag.
I just wonder how it worked the first time when the first kernel was originally installed... _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2365 Location: Kentucky
|
Posted: Wed May 03, 2023 11:53 pm Post subject: |
|
|
SUCCESS !!!
I added device-mapper to /etc/portage/package.use/grub.use and re-emerged grub.
It still complained because realpath still did not work.
Then I manually executed vgscan --mknodes, after which realpath *DID* work, so that was the problem.
I then did grub-mkconfig -o /boot/grub/grub.cfg and rebooted. I had to figure out how to boot the correct kernel, but when I did, and did uname -s I was able to verify that the kernel I had just built was the one that booted.
Then I started iptables and ran my firewall script, after which everything worked. My network is back online, and I assume my mail server is now working again.
THANKS YOU SO MUCH sMueggli !!!
Now I just need to figure out how to make the correct kernel boot as the default... _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2365 Location: Kentucky
|
Posted: Thu May 04, 2023 12:50 am Post subject: |
|
|
Got the new kernel to boot as the default.
Now just a few details to attend to, like getting the firewall script to run automatically on boot.
Apparently the old rc.local directory is now called the /etc/local.d direcory, so I will have to put my custom startup script there. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2365 Location: Kentucky
|
Posted: Thu May 04, 2023 1:08 am Post subject: |
|
|
OK, obviously I don't understand the "new way"...
How do I get the scripts in /etc/local.d to run at boot? _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21624
|
Posted: Thu May 04, 2023 1:22 am Post subject: |
|
|
The preferred way to manage firewall rules is to let the iptables init.d service load them. You only need a custom script if you have special rules that cannot be saved verbatim.
According to /etc/local.d/README: Code: | If a file in this directory is executable and it has a .start extension,
it will be run when the local service is started. If a file is
executable and it has a .stop extension, it will be run when the local
service is stopped.
All files are processed in lexical order. |
|
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2365 Location: Kentucky
|
Posted: Thu May 04, 2023 1:49 am Post subject: |
|
|
Yes, I read that...
*BUT*... I forgot to name my file with a .start extension. OOPS!
Now it works.
Thanks! _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
|