Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
iptables at square zero [fixed thanks]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jesnow
Guru
Guru


Joined: 26 Apr 2006
Posts: 581

PostPosted: Sun May 28, 2017 12:56 am    Post subject: iptables at square zero [fixed thanks] Reply with quote

After the demise of denyhosts, and having run an unprotected system for three years without knowing it, I'm trying to set up iptables so I can use fail2ban. I did
Code:

/etc/init.d/iptables save
iptables           | * /etc/init.d/iptables uses runscript, please convert to openrc-run.
iptables           | * Saving iptables state ...                                                 [ ok ]
Merckx linux # /etc/init.d/iptables start
iptables           | * /etc/init.d/iptables uses runscript, please convert to openrc-run.
iptables           | * WARNING: iptables has already been started
Merckx linux #


But I'm still stuck at square zero:
Code:

Merckx jesnow # iptables -F
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


I have the stuff compiled in the kernel, and I rebooted, this was long ago:
Code:

Merckx linux # grep NETFILTER .config
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
# CONFIG_NETFILTER_INGRESS is not set
# CONFIG_NETFILTER_NETLINK_ACCT is not set
# CONFIG_NETFILTER_NETLINK_QUEUE is not set
# CONFIG_NETFILTER_NETLINK_LOG is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=y
# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
# CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set
# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
# CONFIG_NETFILTER_XT_TARGET_LOG is not set
# CONFIG_NETFILTER_XT_TARGET_MARK is not set
# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set
# CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set
# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
# CONFIG_NETFILTER_XT_TARGET_TEE is not set
# CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set
# CONFIG_NETFILTER_XT_MATCH_ADDRTYPE is not set
# CONFIG_NETFILTER_XT_MATCH_BPF is not set
# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
# CONFIG_NETFILTER_XT_MATCH_COMMENT is not set
# CONFIG_NETFILTER_XT_MATCH_CPU is not set
# CONFIG_NETFILTER_XT_MATCH_DCCP is not set
# CONFIG_NETFILTER_XT_MATCH_DEVGROUP is not set
# CONFIG_NETFILTER_XT_MATCH_DSCP is not set
# CONFIG_NETFILTER_XT_MATCH_ECN is not set
# CONFIG_NETFILTER_XT_MATCH_ESP is not set
# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_HL is not set
# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
# CONFIG_NETFILTER_XT_MATCH_L2TP is not set
# CONFIG_NETFILTER_XT_MATCH_LENGTH is not set
# CONFIG_NETFILTER_XT_MATCH_LIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_MAC is not set
# CONFIG_NETFILTER_XT_MATCH_MARK is not set
# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set
# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
# CONFIG_NETFILTER_XT_MATCH_POLICY is not set
# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set
# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set
# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
# CONFIG_NETFILTER_XT_MATCH_REALM is not set
# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
# CONFIG_NETFILTER_XT_MATCH_SCTP is not set
# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
# CONFIG_NETFILTER_XT_MATCH_STRING is not set
# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set
# CONFIG_NETFILTER_XT_MATCH_TIME is not set
# CONFIG_NETFILTER_XT_MATCH_U32 is not set
Merckx linux #


I probably don't need any of the advanced stuff. The guides I've read don't seem to allow for this problem to ever occur or how to troubleshoot it.

Any help gratefully accepted.

Jon


Last edited by jesnow on Wed May 31, 2017 12:19 am; edited 1 time in total
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2583

PostPosted: Sun May 28, 2017 6:23 am    Post subject: Re: iptables at square zero Reply with quote

jesnow wrote:
But I'm still stuck at square zero:
Code:

Merckx jesnow # iptables -F
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


I have the stuff compiled in the kernel, and I rebooted, this was long ago:

Compare with https://wiki.gentoo.org/wiki/Iptables#Client and check /var/lib/ip{,6}tables/rules-save.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Sun May 28, 2017 12:21 pm    Post subject: Reply with quote

It seems you _dont_ have your iptables modules compiled in. And if they are modules, they are not loaded.
Try this:
Code:
zgrep _NF_ /proc/config.gz
I suppose you will get a long list of "# XXX is not set"
Back to top
View user's profile Send private message
jesnow
Guru
Guru


Joined: 26 Apr 2006
Posts: 581

PostPosted: Mon May 29, 2017 4:33 pm    Post subject: Reply with quote

szatox wrote:
It seems you _dont_ have your iptables modules compiled in. And if they are modules, they are not loaded.
Try this:
Code:
zgrep _NF_ /proc/config.gz
I suppose you will get a long list of "# XXX is not set"


Code:

Merckx linux # zgrep _NF_ /proc/config.gz
# CONFIG_NF_CONNTRACK is not set
CONFIG_NF_LOG_COMMON=y
# CONFIG_NF_TABLES is not set
# CONFIG_NF_DEFRAG_IPV4 is not set
# CONFIG_NF_DUP_IPV4 is not set
# CONFIG_NF_LOG_ARP is not set
CONFIG_NF_LOG_IPV4=y
CONFIG_NF_REJECT_IPV4=y
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_AH is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_FILTER is not set
# CONFIG_IP_NF_MANGLE is not set
# CONFIG_IP_NF_RAW is not set
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_NF_DEFRAG_IPV6 is not set
# CONFIG_NF_DUP_IPV6 is not set
# CONFIG_NF_REJECT_IPV6 is not set
# CONFIG_NF_LOG_IPV6 is not set
# CONFIG_IP6_NF_IPTABLES is not set
Merckx linux #


Which ones did I miss? Do I need all of them? This was not clear in any documentation I could find.
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2583

PostPosted: Mon May 29, 2017 5:15 pm    Post subject: Reply with quote

jesnow wrote:
Which ones did I miss? Do I need all of them? This was not clear in any documentation I could find.
You should need only those checkmarked in the wiki article mentioned before.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Mon May 29, 2017 7:00 pm    Post subject: Reply with quote

I never really bothered checking the actual mapping of variables to pieces of code, but this one looks like a reason for the failure you reported in your previous post.
Code:
# CONFIG_IP_NF_FILTER is not set

Code:
can't initialize iptables table `filter'

Rebuild kernel using menuconfig option, and walk through the networking related stuff again. You will find a bunch of options for iptables hidden 4 or 5 levels down the tree.
Back to top
View user's profile Send private message
jesnow
Guru
Guru


Joined: 26 Apr 2006
Posts: 581

PostPosted: Mon May 29, 2017 11:09 pm    Post subject: Reply with quote

Thank you!

In fact it's often difficult with kernel parameters to match the instructions with the actual parameters, especially when you're not familiar with that part of the kernel name space. The order and descriptions of the parameters in menuconfig changes fairly often, and that's confusing. A straight up list of "these are the minimum kernel flags that must be set for the following use cases:" followed by the actual kernel flags would be extremely useful. Then a check such as you described with zgrep would be a lot easier to interpret.

Cheers,

Jon.
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2583

PostPosted: Tue May 30, 2017 5:41 am    Post subject: Reply with quote

jesnow wrote:
A straight up list of "these are the minimum kernel flags that must be set for the following use cases:" followed by the actual kernel flags would be extremely useful.

Feel free to add it to the wiki article.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Tue May 30, 2017 8:03 am    Post subject: Reply with quote

jesnow,

You can search the hidden CONFIG_ symbols in menuconfig if you show them first. Press z, that's a toggle.
Now, / to search will search in hidden symbols too.
When you find one you need, go to it and read the help. In particular, the Depends on:
The Depends on must evaluate to true to enable the symbol you want to be visible.
Heres a trivial example, after pressing z
menuconfig General setup:

  │ │    < > Kernel .config support                                          │ │ 
  │ │    - -   Enable access to .config through /proc/config.gz              │ │ 

The - - symbol means forced off, It would be hidden but for the z mode.

The help says
Code:
  ┌───────────── Enable access to .config through /proc/config.gz ─────────────┐
  │ CONFIG_IKCONFIG_PROC:                                                      │ 
  │                                                                            │ 
  │ This option enables access to the kernel configuration file                │ 
  │ through /proc/config.gz.                                                   │ 
  │                                                                            │ 
  │ Symbol: IKCONFIG_PROC [=n]                                                 │ 
  │ Type  : boolean                                                            │ 
  │ Prompt: Enable access to .config through /proc/config.gz                   │ 
  │   Location:                                                                │ 
  │     -> General setup                                                       │ 
  │       -> Kernel .config support (IKCONFIG [=n])                            │ 
  │   Defined at init/Kconfig:802                                              │ 
  │   Depends on: IKCONFIG [=n] && PROC_FS [=y] 

IKCONFIG [=n] must be on to make Depends on true.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
jesnow
Guru
Guru


Joined: 26 Apr 2006
Posts: 581

PostPosted: Tue May 30, 2017 11:35 pm    Post subject: Reply with quote

Many thanks!

iptables did indeed function correctly once I turned on the CONFIG_IP_NF_FILTER.

Thanks for the advanced menuconfig -- I had just been using grep and vi, exactly
because I couldn't figure this out.

Jon.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum