| View previous topic :: View next topic |
| Author |
Message |
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
 Posted: Thu Jul 26, 2007 11:57 am Post subject: Ip_tables module in 2.6.21 not loading [SOLVED] |
 |
|
Since yesterday I'm trying to get iptables in 2.6.21 to work. I've tried all the options in menuconfig, setting them to compile into kernel, make modules, and mixed.
Now situation is that when I try to modprobe ip_tables I receive:
FATAL: Error inserting ip_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/ipv4/netfilter/ip_tables.ko): Invalid module format
Here is my emerge --info :
| Code: | Portage 2.1.2.9 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.5-r4, 2.6.21-gento o-r4 i686)
=================================================================
System uname: 2.6.21-gentoo-r4 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 26 Jul 2007 06:20:01 +0000
dev-java/java-config: 1.2.11
dev-lang/python: 2.3.5-r2, 2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1, 1.10
sys-devel/binutils: 2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.23b
virtual/os-headers: 2.6.21
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -O2 -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/fax /var/bind /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php4/ext-active/ /et c/php/apache1-php5/ext-active/ /etc/php/apache2-php4/ext-active/ /etc/php/apache 2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ / etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild / etc/terminfo"
CXXFLAGS="-march=athlon-xp -O2 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo http:// linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ ftp://linux.rz.ruhr-uni-boch um.de/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://gentoo .zie.pg.gda.pl http://gentoo.po.opole.pl ftp://gentoo.po.opole.pl ftp://mirror.i cis.pcz.pl/gentoo/"
LINGUAS="pl"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/di stfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="3dnow acl apache2 avi berkdb bitmap-fonts cli cracklib crypt cups dri dv en code fbcon fortran gd gdbm gpm iconv imap isdnlog libg++ maildir midi mmx mudfla p mysql ncurses nls nptl nptlonly openmp pam pcre perl pppd python qt readline r eflection samba session spl sse ssl tcpd truetype-fonts type1-fonts unicode user locales winbind x86 xorg xvid zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiix p-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem y mfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug f ile hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate ro ute share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL ="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb n curses text" LINGUAS="pl" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon r endition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l v esa vga via vmware voodoo"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTA GE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY |
Last edited by ufoq on Fri Jul 27, 2007 9:50 am; edited 1 time in total |
|
| Back to top |
|
 |
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Thu Jul 26, 2007 12:09 pm Post subject: |
|
|
| Is there anything printed in dmesg about this? The error messages from modprobe tend to be rather unhelpful. |
|
| Back to top |
|
|
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
| Posted: Thu Jul 26, 2007 12:34 pm Post subject: |
|
|
| ip_tables: exports duplicate symbol ipt_do_table (owned by kernel) |
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Thu Jul 26, 2007 12:40 pm Post subject: |
|
|
| Looks like you have iptables compiled into the kernel already. What does "iptables -L" give you? |
|
| Back to top |
|
|
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
| Posted: Thu Jul 26, 2007 12:41 pm Post subject: |
|
|
| Rob1n wrote: | | Looks like you have iptables compiled into the kernel already. What does "iptables -L" give you? |
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This is without GShield running.
When it's loaded, i can't for example ping my internal network (Operation not permitted)....But i haven't changed anything in GShield configuration files. |
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Thu Jul 26, 2007 12:49 pm Post subject: |
|
|
| Yep - it's built into the kernel so the module must be leftover from a previous build. It may be worth removing the /lib/modules/2.6.21-gentoo-r4 directory and rerunning "make modules_install" from /usr/src/linux to clearup any other old modules. |
|
| Back to top |
|
|
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
| Posted: Thu Jul 26, 2007 1:35 pm Post subject: |
|
|
Hmm..
Gshield couple of seconds after starting is causing a Kernel Panic...
so I've typed in standard iptables example from Gentoo Handbook.
Now iptables -L gives me this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
Chain FORWARD (policy DROP)
target prot opt source destination
/etc/host.conf: line 24: bad command `mdns off'
DROP all -- anywhere 192.168.35.0/24
ACCEPT all -- 192.168.35.0/24 anywhere
ACCEPT all -- anywhere 192.168.35.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
But NAT doesn't work... |
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Thu Jul 26, 2007 1:38 pm Post subject: |
|
|
| What's the output of "iptables -t nat -L -n -v"? |
|
| Back to top |
|
|
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
| Posted: Thu Jul 26, 2007 1:41 pm Post subject: |
|
|
| Rob1n wrote: | | What's the output of "iptables -t nat -L -n -v"? |
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 58 packets, 5226 bytes)
pkts bytes target prot opt in out source destination
15 900 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 73 packets, 6126 bytes)
pkts bytes target prot opt in out source destination |
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Thu Jul 26, 2007 1:43 pm Post subject: |
|
|
| Well that looks okay, so exactly where is it going wrong? What are you trying to do using NAT that's failing? |
|
| Back to top |
|
|
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
| Posted: Thu Jul 26, 2007 1:45 pm Post subject: |
|
|
| Rob1n wrote: | | Well that looks okay, so exactly where is it going wrong? What are you trying to do using NAT that's failing? |
Just standard internet access, as before upgrading that freaking kernel....
Traceroute's stop on the gateway...
This is my lsmod:
Module Size Used by
ipt_MASQUERADE 2496 1
iptable_nat 6084 1
nf_nat 15020 2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 13580 2 iptable_nat
nf_conntrack 50776 4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
nfnetlink 4888 3 nf_nat,nf_conntrack_ipv4,nf_conntrack
snd_seq_oss 28672 0
snd_seq_midi_event 6144 1 snd_seq_oss
snd_seq 45392 4 snd_seq_oss,snd_seq_midi_event
snd_seq_device 6476 2 snd_seq_oss,snd_seq
snd_pcm_oss 38688 0
snd_pcm 69192 1 snd_pcm_oss
snd_timer 18948 2 snd_seq,snd_pcm
snd_page_alloc 7432 1 snd_pcm
snd_mixer_oss 14016 1 snd_pcm_oss
snd 43300 7 snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_pcm,snd_timer,snd_mixer_oss
i2c_nforce2 4672 0
i2c_core 17040 1 i2c_nforce2 |
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Thu Jul 26, 2007 1:58 pm Post subject: |
|
|
| Ah - okay, looks like there's a problem with your forward rules then. What's the output of "iptables -L -n -v"? |
|
| Back to top |
|
|
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
| Posted: Thu Jul 26, 2007 2:00 pm Post subject: |
|
|
| Rob1n wrote: | | Ah - okay, looks like there's a problem with your forward rules then. What's the output of "iptables -L -n -v"? |
Chain INPUT (policy ACCEPT 1007 packets, 75957 bytes)
pkts bytes target prot opt in out source destination
64 5756 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2041 243K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
27 9112 REJECT udp -- !eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 reject-with icmp-port-unreachable
0 0 REJECT udp -- !eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 reject-with icmp-port-unreachable
31 2280 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
9 536 DROP tcp -- !eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023
547 66374 DROP udp -- !eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023
Chain FORWARD (policy DROP 910 packets, 44018 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth1 * 0.0.0.0/0 192.168.35.0/24
2823 142K ACCEPT all -- eth1 * 192.168.35.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 192.168.35.0/24
Chain OUTPUT (policy ACCEPT 2129 packets, 436K bytes)
pkts bytes target prot opt in out source destination |
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Thu Jul 26, 2007 2:09 pm Post subject: |
|
|
It looks like you're missing the rules to accept responses to your outgoing traffic:
| Code: |
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
| Back to top |
|
|
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
| Posted: Fri Jul 27, 2007 6:47 am Post subject: |
|
|
Still doesn't work.......I have no clue what's wrong.
Included part of .config regarding Netfilter
| Code: |
#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NF_CONNTRACK_ENABLED=m
CONFIG_NF_CONNTRACK_SUPPORT=y
# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CT_PROTO_GRE=m
# CONFIG_NF_CT_PROTO_SCTP is not set
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
# CONFIG_NF_CONNTRACK_H323 is not set
CONFIG_NF_CONNTRACK_IRC=m
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
CONFIG_NF_CONNTRACK_PPTP=m
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
CONFIG_NF_CONNTRACK_TFTP=m
# CONFIG_NF_CT_NETLINK is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
#
# IP: Netfilter Configuration
#
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
# CONFIG_NF_NAT_SNMP_BASIC is not set
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_PPTP=m
# CONFIG_NF_NAT_H323 is not set
# CONFIG_NF_NAT_SIP is not set
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
|
|
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Fri Jul 27, 2007 7:50 am Post subject: |
|
|
| Which modules are actually loaded? Can you post the output of "lsmod"? |
|
| Back to top |
|
|
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
| Posted: Fri Jul 27, 2007 8:20 am Post subject: |
|
|
Situation for now:
1. I've applied .config options suggested here:
http://groups.google.co.uk/group/linux.debian.user.french/browse_thread/thread/c80ebb160ff19406/f350d67409f80c10?lnk=st&q=iptables+2.6.21&rnum=5&hl=en#f350d67409f80c10
2. after 'make clean bzImage modules install modules_install', and rebooting, and trying to launch 'modprobe ip_tables' or 'modprobe x_tables' we have:
WARNING: Error inserting x_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/netfilter/x_tables.ko): Invalid module format
FATAL: Error inserting ip_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/ipv4/netfilter/ip_tables.ko): Invalid module format
Which give us details in dmesg:
x_tables: exports duplicate symbol xt_free_table_info (owned by kernel)
ip_tables: exports duplicate symbol ipt_do_table (owned by kernel)
And ip_tables won't load.
I have to mention, that I've updated the kernel from version 2.6.11, including new headers, new gcc and glibc.
Ah, and lsmod:
Module Size Used by
ipt_MASQUERADE 2496 1
xt_state 1984 2
iptable_nat 6084 1
nf_nat 15020 2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 13324 4 iptable_nat
nf_conntrack 48648 5 ipt_MASQUERADE,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nfnetlink 4888 3 nf_nat,nf_conntrack_ipv4,nf_conntrack
snd_seq_oss 28672 0
snd_seq_midi_event 6144 1 snd_seq_oss
snd_seq 45392 4 snd_seq_oss,snd_seq_midi_event
snd_seq_device 6476 2 snd_seq_oss,snd_seq
snd_pcm_oss 38688 0
snd_pcm 69192 1 snd_pcm_oss
snd_timer 18948 2 snd_seq,snd_pcm
snd_page_alloc 7432 1 snd_pcm
snd_mixer_oss 14016 1 snd_pcm_oss
snd 43300 7 snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_pcm,snd_timer,snd_mixer_oss
i2c_nforce2 4672 0
i2c_core 17040 1 i2c_nforce2 |
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Fri Jul 27, 2007 8:44 am Post subject: |
|
|
Okay - looks reasonable.
| Quote: |
2. after 'make clean bzImage modules install modules_install', and rebooting, and trying to launch 'modprobe ip_tables' or 'modprobe x_tables' we have:
WARNING: Error inserting x_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/netfilter/x_tables.ko): Invalid module format
FATAL: Error inserting ip_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/ipv4/netfilter/ip_tables.ko): Invalid module format
Which give us details in dmesg:
x_tables: exports duplicate symbol xt_free_table_info (owned by kernel)
ip_tables: exports duplicate symbol ipt_do_table (owned by kernel)
And ip_tables won't load. |
These are both built-in to the kernel so won't load. To clean up any redundant modules I'd suggest doing:
| Code: |
rm -rf /lib/modules/2.6.21-gentoo-r4
cd /usr/src/linux
make modules_install
|
The modules all look okay. Can you post the iptables rules you're actually applying? |
|
| Back to top |
|
|
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
| Posted: Fri Jul 27, 2007 8:47 am Post subject: |
|
|
| Quote: |
These are both built-in to the kernel so won't load. To clean up any redundant modules I'd suggest doing:
| Code: |
rm -rf /lib/modules/2.6.21-gentoo-r4
cd /usr/src/linux
make modules_install
|
|
I've done this couple of times. Did it now, with no effect.
| Quote: |
The modules all look okay. Can you post the iptables rules you're actually applying? |
Sure:
| Code: |
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
export LAN=eth1
export WAN=eth0
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#iptables -I FORWARD -i ${LAN} -d 192.168.35.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.35.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.35.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
/etc/init.d/iptables save
/etc/init.d/iptables reload
|
|
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Fri Jul 27, 2007 9:28 am Post subject: |
|
|
| ufoq wrote: | | Quote: |
These are both built-in to the kernel so won't load. To clean up any redundant modules I'd suggest doing:
| Code: |
rm -rf /lib/modules/2.6.21-gentoo-r4
cd /usr/src/linux
make modules_install
|
|
I've done this couple of times. Did it now, with no effect.
|
You shouldn't be able to "modprobe ip_tables" now - it should report that the module is not found. If you're still getting the same error message as before then you're not actually running your new kernel - you need to check where your /boot/grub/grub.conf file is pointing.
The rules look okay to me. All I can suggest is adding some logging rules to try to track down where things are going wrong:
| Code: |
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
export LAN=eth1
export WAN=eth0
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j LOG --log-prefix REJECT_BOOTPS
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j LOG --log-prefix REJECT_DOMAIN
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j LOG --log-prefix DROP_TCP
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j LOG --log-prefix DROP_UDP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#iptables -I FORWARD -i ${LAN} -d 192.168.35.0/255.255.255.0 -j LOG --log-prefix DROP_LAN
#iptables -I FORWARD -i ${LAN} -d 192.168.35.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.35.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.35.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j LOG --log DROP_FORWARD
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
/etc/init.d/iptables save
/etc/init.d/iptables reload
|
This should log all dropped/rejected packets to the system log. This should at least make it clear which rule is causing the problem. |
|
| Back to top |
|
|
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
| Posted: Fri Jul 27, 2007 9:32 am Post subject: |
|
|
Everything works now....
I don't know why, but I've had \boot folder on the main partition, to which I was installing kernel
After I saw no grub subfolder, I mounted \boot from real boot partition, installed kernel and voila...
I'm officially the most stupid person using Gentoo 
Rob1n - many thanx for your help, I owe you one.
Last edited by ufoq on Fri Jul 27, 2007 9:42 am; edited 1 time in total |
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Fri Jul 27, 2007 9:35 am Post subject: |
|
|
| What are the results of "ls -l /boot" and "cat /boot/grub/grub.conf"? |
|
| Back to top |
|
|
ufoq
n00b
Joined: 25 Mar 2004
Posts: 33
|
| Posted: Fri Jul 27, 2007 9:43 am Post subject: |
|
|
| Rob1n wrote: | | What are the results of "ls -l /boot" and "cat /boot/grub/grub.conf"? |
Already thought of it. It was the clue. |
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Fri Jul 27, 2007 9:48 am Post subject: |
|
|
| ufoq wrote: | Everything works now....
I don't know why, but I've had \boot folder on the main partition, to which I was installing kernel
After I saw no grub subfolder, I mounted \boot from real boot partition, installed kernel and voila...
I'm officially the most stupid person using Gentoo
Rob1n - many thanx for your help, I owe you one. |
Hehe - don't worry, I've done the same thing myself many times (and forgotten to mount the /boot partition before emerging a grub update). |
|
| Back to top |
|
|
|
Networking & Security
