Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
IPtables [NEED HELP]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
sleepingsun
Guru
Guru


Joined: 03 May 2006
Posts: 370
Location: Bosnia

PostPosted: Wed Nov 14, 2018 3:38 pm    Post subject: IPtables [NEED HELP] Reply with quote

After i upgrade kernel 4.14.78-gentoo

Code:
 /etc/init.d/iptables restart
 * Loading iptables state and starting firewall ...
iptables-restore v1.6.1: iptables-restore: unable to initialize table 'security'

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more informati [ !! ]
 * ERROR: iptables failed to start


howto fix this please i recompile few times kernel please help

[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]
_________________
Gentoo is Rocks
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5741

PostPosted: Wed Nov 14, 2018 6:39 pm    Post subject: Reply with quote

Can we see iptables -L or iptables-save ?

edit: I'm a doofus, we need the rules its trying to load
_________________
overlay | patches
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
sleepingsun
Guru
Guru


Joined: 03 May 2006
Posts: 370
Location: Bosnia

PostPosted: Wed Nov 14, 2018 7:50 pm    Post subject: Reply with quote

Quote:
iptables -L



Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


iptables-save
Code:
# Generated by iptables-save v1.6.1 on Wed Nov 14 20:50:18 2018
*raw
:PREROUTING ACCEPT [4411:604302]
:OUTPUT ACCEPT [5244:816375]
COMMIT
# Completed on Wed Nov 14 20:50:18 2018
# Generated by iptables-save v1.6.1 on Wed Nov 14 20:50:18 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Nov 14 20:50:18 2018
# Generated by iptables-save v1.6.1 on Wed Nov 14 20:50:18 2018
*mangle
:PREROUTING ACCEPT [4412:604342]
:INPUT ACCEPT [3920:432182]
:FORWARD ACCEPT [460:170116]
:OUTPUT ACCEPT [5254:817655]
:POSTROUTING ACCEPT [5789:997545]
COMMIT
# Completed on Wed Nov 14 20:50:18 2018
# Generated by iptables-save v1.6.1 on Wed Nov 14 20:50:18 2018
*filter
:INPUT ACCEPT [3920:432182]
:FORWARD ACCEPT [460:170116]
:OUTPUT ACCEPT [5254:817655]
COMMIT
# Completed on Wed Nov 14 20:50:18 2018


i cant find this in kernel IP_NF_SECURITY maybe its problem to start iptables
_________________
Gentoo is Rocks
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13021

PostPosted: Thu Nov 15, 2018 1:36 am    Post subject: Reply with quote

sleepingsun wrote:
i cant find this in kernel IP_NF_SECURITY maybe its problem to start iptables
net/ipv4/netfilter/Kconfig:
config IP_NF_SECURITY
    tristate "Security table"
    depends on SECURITY
    depends on NETFILTER_ADVANCED
    help
You may have disabled one of the supporting symbols, which would cause IP_NF_SECURITY to be hidden. Before enabling it, check whether you actually use the security table. I think you could get this error if your saved rules mention the table, even if no records are added to it.
Back to top
View user's profile Send private message
sleepingsun
Guru
Guru


Joined: 03 May 2006
Posts: 370
Location: Bosnia

PostPosted: Thu Nov 15, 2018 6:16 am    Post subject: Reply with quote

Just use for dhcp and NAT IPtables and when i go to
/usr/src/linux/
make menuconfig

where i to go to enable this config IP_NF_SECURITY i spent whole night to enable this and nothing
_________________
Gentoo is Rocks
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13021

PostPosted: Fri Nov 16, 2018 2:49 am    Post subject: Reply with quote

Please post your saved iptables rules. I suspect the proper fix is to edit the saved rules to remove unnecessary use of the security table. Showing your rules would let me confirm that.
Back to top
View user's profile Send private message
sleepingsun
Guru
Guru


Joined: 03 May 2006
Posts: 370
Location: Bosnia

PostPosted: Fri Nov 16, 2018 3:27 pm    Post subject: Reply with quote

just back to old kernel 4.14.65 and everythings work fine ... i use iptables for NAT and dhcp to get on second network ip adresses and internet too and that security table need to be there ... i just take this weekend to see kernel in this compile and maybe i missed something on new but think that is something change is this new ... and will se what i miss
_________________
Gentoo is Rocks
Back to top
View user's profile Send private message
papas
n00b
n00b


Joined: 01 Dec 2014
Posts: 54
Location: Athens

PostPosted: Fri Nov 16, 2018 9:53 pm    Post subject: Reply with quote

Hello, i think is under:
Code:

Networking support > Networking options > Network packet filtering framework (Netfilter) > IP: Netfilter Configuration

and check the
Code:

<M>   Security table
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13021

PostPosted: Fri Nov 16, 2018 11:04 pm    Post subject: Reply with quote

Most users do not need the security table. As I said above, please post the failed rules, so that we can determine whether you should change the rules or should enable support for the security table. If you need the table, then you can use menuconfig's search to take you to it and, if it is not accessible due to missing prerequisites, you can use search to jump to those first. I listed the prerequisites in my response before the prior one.
Back to top
View user's profile Send private message
sleepingsun
Guru
Guru


Joined: 03 May 2006
Posts: 370
Location: Bosnia

PostPosted: Mon Nov 19, 2018 12:30 pm    Post subject: Reply with quote

Quote:
# Generated by iptables-save v1.6.1 on Sat Apr 28 22:00:52 2018
*security
:INPUT ACCEPT [160646828:267341418532]
:FORWARD ACCEPT [3199701:2756087041]
:OUTPUT ACCEPT [116721305:40964574731]
COMMIT
# Completed on Sat Apr 28 22:00:52 2018
# Generated by iptables-save v1.6.1 on Sat Apr 28 22:00:52 2018
*raw
:PREROUTING ACCEPT [163847171:270097599957]
:OUTPUT ACCEPT [116721305:40964574731]
COMMIT
# Completed on Sat Apr 28 22:00:52 2018
# Generated by iptables-save v1.6.1 on Sat Apr 28 22:00:52 2018
*nat
:PREROUTING ACCEPT [118076:9106948]
:INPUT ACCEPT [104851:7092064]
:OUTPUT ACCEPT [214340:21496204]
:POSTROUTING ACCEPT [62314:4730178]
[164625:18690190] -A POSTROUTING -o enp4s0 -j MASQUERADE
COMMIT
# Completed on Sat Apr 28 22:00:52 2018
# Generated by iptables-save v1.6.1 on Sat Apr 28 22:00:52 2018
*mangle
:PREROUTING ACCEPT [163847198:270097636577]
:INPUT ACCEPT [160647112:267341501069]
:FORWARD ACCEPT [3199784:2756091349]
:OUTPUT ACCEPT [116721317:40964575307]
:POSTROUTING ACCEPT [119926266:43721607744]
COMMIT
# Completed on Sat Apr 28 22:00:52 2018
# Generated by iptables-save v1.6.1 on Sat Apr 28 22:00:52 2018
*filter
:INPUT ACCEPT [18185070:26905987968]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [116717060:40964081983]
[51833634:71612582975] -A INPUT -i enp4s0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
[961163:221692607] -A INPUT -i lo -j ACCEPT
[107848341:195506793329] -A INPUT -i enp5s4 -j ACCEPT
[201370:27449065] -A INPUT -i enp4s0 -p tcp -m tcp --dport 22 -j ACCEPT
[4472:382561] -A INPUT -i enp4s0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 8880 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 51764 -j ACCEPT
[1252:608295] -A INPUT -i enp4s0 -p tcp -m tcp --dport 134:145 -j ACCEPT
[2662:481521] -A INPUT -i enp4s0 -p udp -m udp --dport 134:145 -j ACCEPT
[199:11807] -A INPUT -i enp4s0 -p tcp -m tcp --dport 10000 -j ACCEPT
[1:441] -A INPUT -i enp4s0 -p udp -m udp --dport 10000 -j ACCEPT
[1833:139308] -A INPUT -i enp4s0 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 123 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 9909:9912 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 9909:9912 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 318:321 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 318:321 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 13:38 -j ACCEPT
[407:19229] -A INPUT -i enp4s0 -p tcp -m tcp --dport 13:38 -j ACCEPT
[0:0] -A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 161 -j ACCEPT
[0:0] -A INPUT -s 192.168.1.5/32 -p udp -m udp --dport 161 -j ACCEPT
[115811:51125483] -A INPUT -i enp4s0 -p udp -m udp --dport 49160:51780 -j ACCEPT
[32827470:44594991248] -A INPUT -i enp4s0 -p tcp -m tcp --dport 49160:51780 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 2710 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 2710 -j ACCEPT
[86869:9814020] -A INPUT -i enp4s0 -p udp -m udp --dport 6881:6889 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT
[87:3592] -A INPUT -i enp4s0 -p tcp -m tcp --dport 8080 -j ACCEPT
[1:230] -A INPUT -i enp4s0 -p udp -m udp --dport 8080 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 8880 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 1723 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 1723 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p tcp -m tcp --dport 1450 -j ACCEPT
[0:0] -A INPUT -i enp4s0 -p udp -m udp --dport 1450 -j ACCEPT
[405873:21522290] -A INPUT -i enp4s0 -p tcp -m tcp --dport 445 -j ACCEPT
[0:0] -A INPUT ! -i enp5s4 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
[104:35258] -A INPUT ! -i enp5s4 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
[13:4763] -A INPUT ! -i enp5s4 -p udp -m udp --dport 0:1023 -j DROP
[140:5896] -A INPUT ! -i enp5s4 -p tcp -m tcp --dport 0:1023 -j DROP
[1344821:88545958] -A FORWARD -o enp4s0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
[1852630:2665985346] -A FORWARD -i enp4s0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
[83:4308] -A FORWARD -d 192.168.0.0/16 -i enp5s4 -j DROP
[1344738:88541650] -A FORWARD -s 192.168.0.0/16 -i enp5s4 -j ACCEPT
[1852630:2665985346] -A FORWARD -d 192.168.0.0/16 -i enp4s0 -j ACCEPT
[37027709:9557982079] -A OUTPUT -o enp4s0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
COMMIT
# Completed on Sat Apr 28 22:00:53 2018

_________________
Gentoo is Rocks
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13021

PostPosted: Tue Nov 20, 2018 3:03 am    Post subject: Reply with quote

As I suspected, you are not using the security table. It has no rules, and its counters are unlikely to be useful. You should edit the iptables-save output to remove the security table. Delete lines 2-6, inclusive, then the resulting file should be usable without a kernel configuration change.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum