| View previous topic :: View next topic |
| Author |
Message |
sleepingsun
Guru
Joined: 03 May 2006
Posts: 384
Location: Bosnia
|
 Posted: Wed Nov 14, 2018 3:38 pm Post subject: IPtables [NEED HELP] |
 |
|
After i upgrade kernel 4.14.78-gentoo
| Code: | /etc/init.d/iptables restart
* Loading iptables state and starting firewall ...
iptables-restore v1.6.1: iptables-restore: unable to initialize table 'security'
Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more informati [ !! ]
* ERROR: iptables failed to start |
howto fix this please i recompile few times kernel please help
[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]
_________________
Gentoo is Rocks |
|
| Back to top |
|
 |
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5906
|
| Posted: Wed Nov 14, 2018 6:39 pm Post subject: |
|
|
Can we see iptables -L or iptables-save ?
edit: I'm a doofus, we need the rules its trying to load
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
sleepingsun
Guru
Joined: 03 May 2006
Posts: 384
Location: Bosnia
|
| Posted: Wed Nov 14, 2018 7:50 pm Post subject: |
|
|
| Code: | Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
iptables-save
| Code: | # Generated by iptables-save v1.6.1 on Wed Nov 14 20:50:18 2018
*raw
:PREROUTING ACCEPT [4411:604302]
:OUTPUT ACCEPT [5244:816375]
COMMIT
# Completed on Wed Nov 14 20:50:18 2018
# Generated by iptables-save v1.6.1 on Wed Nov 14 20:50:18 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Nov 14 20:50:18 2018
# Generated by iptables-save v1.6.1 on Wed Nov 14 20:50:18 2018
*mangle
:PREROUTING ACCEPT [4412:604342]
:INPUT ACCEPT [3920:432182]
:FORWARD ACCEPT [460:170116]
:OUTPUT ACCEPT [5254:817655]
:POSTROUTING ACCEPT [5789:997545]
COMMIT
# Completed on Wed Nov 14 20:50:18 2018
# Generated by iptables-save v1.6.1 on Wed Nov 14 20:50:18 2018
*filter
:INPUT ACCEPT [3920:432182]
:FORWARD ACCEPT [460:170116]
:OUTPUT ACCEPT [5254:817655]
COMMIT
# Completed on Wed Nov 14 20:50:18 2018
|
i cant find this in kernel IP_NF_SECURITY maybe its problem to start iptables
_________________
Gentoo is Rocks |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 14617
|
| Posted: Thu Nov 15, 2018 1:36 am Post subject: |
|
|
| sleepingsun wrote: | | i cant find this in kernel IP_NF_SECURITY maybe its problem to start iptables |
| net/ipv4/netfilter/Kconfig: | config IP_NF_SECURITY
tristate "Security table"
depends on SECURITY
depends on NETFILTER_ADVANCED
help
|
You may have disabled one of the supporting symbols, which would cause IP_NF_SECURITY to be hidden. Before enabling it, check whether you actually use the security table. I think you could get this error if your saved rules mention the table, even if no records are added to it. |
|
| Back to top |
|
|
sleepingsun
Guru
Joined: 03 May 2006
Posts: 384
Location: Bosnia
|
| Posted: Thu Nov 15, 2018 6:16 am Post subject: |
|
|
Just use for dhcp and NAT IPtables and when i go to
/usr/src/linux/
make menuconfig
where i to go to enable this config IP_NF_SECURITY i spent whole night to enable this and nothing
_________________
Gentoo is Rocks |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 14617
|
| Posted: Fri Nov 16, 2018 2:49 am Post subject: |
|
|
| Please post your saved iptables rules. I suspect the proper fix is to edit the saved rules to remove unnecessary use of the security table. Showing your rules would let me confirm that. |
|
| Back to top |
|
|
sleepingsun
Guru
Joined: 03 May 2006
Posts: 384
Location: Bosnia
|
| Posted: Fri Nov 16, 2018 3:27 pm Post subject: |
|
|
just back to old kernel 4.14.65 and everythings work fine ... i use iptables for NAT and dhcp to get on second network ip adresses and internet too and that security table need to be there ... i just take this weekend to see kernel in this compile and maybe i missed something on new but think that is something change is this new ... and will se what i miss
_________________
Gentoo is Rocks |
|
| Back to top |
|
|
papas
Tux's lil' helper
Joined: 01 Dec 2014
Posts: 98
Location: Athens
|
| Posted: Fri Nov 16, 2018 9:53 pm Post subject: |
|
|
Hello, i think is under:
| Code: |
Networking support > Networking options > Network packet filtering framework (Netfilter) > IP: Netfilter Configuration
|
and check the
|
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 14617
|
| Posted: Fri Nov 16, 2018 11:04 pm Post subject: |
|
|
| Most users do not need the security table. As I said above, please post the failed rules, so that we can determine whether you should change the rules or should enable support for the security table. If you need the table, then you can use menuconfig's search to take you to it and, if it is not accessible due to missing prerequisites, you can use search to jump to those first. I listed the prerequisites in my response before the prior one. |
|
| Back to top |
|
|
sleepingsun
Guru
Joined: 03 May 2006
Posts: 384
Location: Bosnia
|
| Posted: Mon Nov 19, 2018 12:30 pm Post subject: |
|
|
| Quote: | # Generated by iptables-save v1.6.1 on Sat Apr 28 22:00:52 2018
*security
:INPUT ACCEPT [160646828:267341418532]
:FORWARD ACCEPT [3199701:2756087041]
:OUTPUT ACCEPT [116721305:40964574731]
COMMIT
# Completed on Sat Apr 28 22:00:52 2018
# Generated by iptables-save v1.6.1 on Sat Apr 28 22:00:52 2018
*raw
:PREROUTING ACCEPT [163847171:270097599957]
:OUTPUT ACCEPT [116721305:40964574731]
COMMIT
# Completed on Sat Apr 28 22:00:52 2018
# Generated by iptables-save v1.6.1 on Sat Apr 28 22:00:52 2018
*nat
:PREROUTING ACCEPT [118076:9106948]
:INPUT ACCEPT [104851:7092064]
:OUTPUT ACCEPT [214340:21496204]
:POSTROUTING ACCEPT [62314:4730178]
[164625:18690190] -A POSTROUTING -o enp4s0 -j MASQUERADE
COMMIT
# Completed on Sat Apr 28 22:00:52 2018
# Generated by iptables-save v1.6.1 on Sat Apr 28 22:00:52 2018
*mangle
:PREROUTING ACCEPT [163847198:270097636577]
:INPUT ACCEPT [160647112:267341501069]
:FORWARD ACCEPT [3199784:2756091349]
:OUTPUT ACCEPT [116721317:40964575307]
:POSTROUTING ACCEPT [119926266:43721607744]
COMMIT
# Completed on Sat Apr 28 22:00:52 2018
# Generated by iptables-save v1.6.1 on Sat Apr 28 22:00:52 2018
*filter
:INPUT ACCEPT [18185070:26905987968]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [116717060:40964081983]
[51833634:71612582975] -A INPUT -i enp4s0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
[961163:221692607] -A INPUT -i lo -j ACCEPT
[107848341:195506793329] -A INPUT -i enp5s4 -j ACCEPT
[201370:27449065] -A INPUT -i enp4s0 -p tcp -m tcp --dport 22 -j ACCEPT
[4472:382561] -A INPUT -i enp4s0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 8880 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 51764 -j ACCEPT
[1252:608295] -A INPUT -i enp4s0 -p tcp -m tcp --dport 134:145 -j ACCEPT
[2662:481521] -A INPUT -i enp4s0 -p udp -m udp --dport 134:145 -j ACCEPT
[199:11807] -A INPUT -i enp4s0 -p tcp -m tcp --dport 10000 -j ACCEPT
[1:441] -A INPUT -i enp4s0 -p udp -m udp --dport 10000 -j ACCEPT
[1833:139308] -A INPUT -i enp4s0 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 123 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 9909:9912 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 9909:9912 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 318:321 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 318:321 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 13:38 -j ACCEPT
[407:19229] -A INPUT -i enp4s0 -p tcp -m tcp --dport 13:38 -j ACCEPT
[0:0] -A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 161 -j ACCEPT
[0:0] -A INPUT -s 192.168.1.5/32 -p udp -m udp --dport 161 -j ACCEPT
[115811:51125483] -A INPUT -i enp4s0 -p udp -m udp --dport 49160:51780 -j ACCEPT
[32827470:44594991248] -A INPUT -i enp4s0 -p tcp -m tcp --dport 49160:51780 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 2710 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 2710 -j ACCEPT
[86869:9814020] -A INPUT -i enp4s0 -p udp -m udp --dport 6881:6889 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT
[87:3592] -A INPUT -i enp4s0 -p tcp -m tcp --dport 8080 -j ACCEPT
[1:230] -A INPUT -i enp4s0 -p udp -m udp --dport 8080 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 8880 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 1723 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 1723 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 1450 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 1450 -j ACCEPT
[405873:21522290] -A INPUT -i enp4s0 -p tcp -m tcp --dport 445 -j ACCEPT
[0:0] -A INPUT ! -i enp5s4 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
[104:35258] -A INPUT ! -i enp5s4 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
[13:4763] -A INPUT ! -i enp5s4 -p udp -m udp --dport 0:1023 -j DROP
[140:5896] -A INPUT ! -i enp5s4 -p tcp -m tcp --dport 0:1023 -j DROP
[1344821:88545958] -A FORWARD -o enp4s0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
[1852630:2665985346] -A FORWARD -i enp4s0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
[83:4308] -A FORWARD -d 192.168.0.0/16 -i enp5s4 -j DROP
[1344738:88541650] -A FORWARD -s 192.168.0.0/16 -i enp5s4 -j ACCEPT
[1852630:2665985346] -A FORWARD -d 192.168.0.0/16 -i enp4s0 -j ACCEPT
[37027709:9557982079] -A OUTPUT -o enp4s0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
COMMIT
# Completed on Sat Apr 28 22:00:53 2018
|
_________________
Gentoo is Rocks |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 14617
|
| Posted: Tue Nov 20, 2018 3:03 am Post subject: |
|
|
| As I suspected, you are not using the security table. It has no rules, and its counters are unlikely to be useful. You should edit the iptables-save output to remove the security table. Delete lines 2-6, inclusive, then the resulting file should be usable without a kernel configuration change. |
|
| Back to top |
|
|
|
Networking & Security
