| View previous topic :: View next topic |
| Author |
Message |
alkalinelito
Tux's lil' helper
Joined: 18 Jun 2002
Posts: 85
Location: Uruguay
|
 Posted: Wed May 28, 2003 5:21 pm Post subject: Iptables modules hell |
 |
|
I setted up a box, acting just as a gateway
In kernel configuration i selected the netfilter stuff everything as modules
All the clients are windows,
Evrything is working, but now i need to get to work file transerf over IM's like msn , yahoo, etc Neetmeeting .
so i go to /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter
and i have a WHOLE bunch of modules , i know the h323 ones are for netmeeting and stuff, but i dont really know exactly wich one does,
so i loaded them all ( nasty ) . Now everythign is working ( of course ! ha ) , but i would like to make this clean, and know exactly wich modules to load , and what each one does, Where i can find documentation on this ?
well, thanks
funny
| Code: |
root@puntocom netfilter # lsmod
Module Size Used by Tainted: P
iptable_mangle 2136 0 (unused)
iptable_filter 1740 0 (unused)
ipt_recent 8824 0 (unused)
ipt_length 472 0 (unused)
ipt_iprange 632 0 (unused)
ipt_esp 600 0 (unused)
ipt_fuzzy 1208 0 (unused)
ipt_ecn 824 0 (unused)
ipt_dscp 472 0 (unused)
ipt_conntrack 1176 0 (unused)
ipt_connmark 536 0 (unused)
ipt_connlimit 1880 0 (unused)
ipt_condition 1560 0 (unused)
ipt_TOS 1016 0 (unused)
ipt_TARPIT 2456 0 (unused)
ipt_SAME 984 0 (unused)
ipt_ROUTE 2424 0 (unused)
ipt_REJECT 3192 0 (unused)
ipt_REDIRECT 792 0 (unused)
ipt_NETMAP 760 0 (unused)
ipt_NETLINK 1436 0 (unused)
ipt_IPV4OPTSSTRIP 1080 0 (unused)
ipt_IMQ 792 0 (unused)
ipt_ECN 1784 0 (unused)
ipt_DSCP 1048 0 (unused)
ipt_CLASSIFY 856 0 (unused)
ip_nat_proto_gre 1444 0 (unused)
ip_nat_pptp 2508 0 (unused)
ip_nat_irc 3120 0 (unused)
ip_nat_h323 3564 0 (unused)
ip_nat_cuseeme 2736 0 (unused)
ip_conntrack_tftp 2064 0 (unused)
ip_conntrack_talk 3936 0 (unused)
ip_conntrack_rsh 2560 0 (unused)
ip_conntrack_rpc_udp 5632 0 (unused)
ip_conntrack_rpc_tcp 5728 0 (unused)
ip_conntrack_pptp 3088 1 [ip_nat_pptp]
ip_conntrack_proto_gre 4660 0 [ip_nat_pptp ip_conntrack_pptp]
ip_conntrack_irc 3568 1 [ip_nat_irc]
ip_conntrack_h323 3888 1 [ip_nat_h323]
ipt_MASQUERADE 1976 1 (autoclean)
iptable_nat 24760 6 (autoclean) [ipt_SAME ipt_REDIRECT ipt_NETMAP ip_nat_proto_gre ip_nat_pptp ip_nat_irc ip_nat_h323 ip_nat_cuseeme ipt_MASQUERADE]
|
|
|
| Back to top |
|
 |
wolf31o2
Retired Dev
Joined: 31 Jan 2003
Posts: 628
Location: Mountain View, CA
|
| Posted: Wed May 28, 2003 6:50 pm Post subject: |
|
|
| The simplest way is to not load any modules for iptables, and to let iptables load them itself when you call them in your scripts. |
|
| Back to top |
|
|
alkalinelito
Tux's lil' helper
Joined: 18 Jun 2002
Posts: 85
Location: Uruguay
|
| Posted: Thu May 29, 2003 1:58 pm Post subject: |
|
|
But im not an iptables guru
all im doing is ( i created an exucatble file in /etc/init.d/file , and added to the the default run level
| Code: |
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
|
I'm starting to read about more iptables,
but i would really like to set up a nice firewall
to internal lan is 192.168.x.x and the getoo box is 192.168.0.1 with 2 nics, one that goes to the internal lan , and the other to adsl
How can i tell iptables to load the modules that needs ?
  |
|
| Back to top |
|
|
ferringb
Retired Dev
Joined: 03 Apr 2003
Posts: 357
|
| Posted: Thu May 29, 2003 4:02 pm Post subject: |
|
|
| alkalinelito wrote: | But im not an iptables guru
all im doing is ( i created an exucatble file in /etc/init.d/file , and added to the the default run level
...snip...
How can i tell iptables to load the modules that needs ? |
Like Wolf31o2 said, | Wolf31o2 wrote: | | The simplest way is to not load any modules for iptables, and to let iptables load them itself when you call them in your scripts. |
Explaining it a bit further, say all you have loaded is ip_tables, and your script tells iptables to create ruleset that uses connection tracking- the kernel/modules daemon will load the module if it is needed/not present. You don't have to modprobe all the modules yourself, just let iptables handle it. |
|
| Back to top |
|
|
alkalinelito
Tux's lil' helper
Joined: 18 Jun 2002
Posts: 85
Location: Uruguay
|
| Posted: Thu May 29, 2003 5:58 pm Post subject: |
|
|
But check the code i use for iptables
if i dont modprobe the h323 modules
Neetmeeting will not work
 |
|
| Back to top |
|
|
ferringb
Retired Dev
Joined: 03 Apr 2003
Posts: 357
|
| Posted: Thu May 29, 2003 7:26 pm Post subject: |
|
|
| alkalinelito wrote: | But check the code i use for iptables
if i dont modprobe the h323 modules
Neetmeeting will not work |
As far as I know, connection tracking (conntrack) modules would be an exemption in terms of iptables loading the modules that it needs, although I believe to actually use them you have to specify a specific rule that uses them... not sure though.
So just to be safe, we say needed connection tracking modules must be insmodded. Ohk, not an issue. In your script modprobe the specific protocol fixes you need (h323 as you said), and let iptables handle the rest. |
|
| Back to top |
|
|
alkalinelito
Tux's lil' helper
Joined: 18 Jun 2002
Posts: 85
Location: Uruguay
|
| Posted: Thu May 29, 2003 10:20 pm Post subject: |
|
|
Can anyone help me in making a good script ?
i know i need some rules, to make secure the box
well im still reading iptables tutorias ,
but i really know that script is really in-secure |
|
| Back to top |
|
|
alkalinelito
Tux's lil' helper
Joined: 18 Jun 2002
Posts: 85
Location: Uruguay
|
| Posted: Fri May 30, 2003 11:36 am Post subject: |
|
|
but anyway, that thing about a firewall script doesnt matter
but anyway the problem is still there, i dont know wich modules to load so i can get file transfer / video / audio to work .
so many modules , no explanation about what each does ,
like topic says iptables modules hell
 |
|
| Back to top |
|
|
fatcat.00
Tux's lil' helper
Joined: 12 Aug 2002
Posts: 145
|
| Posted: Fri May 30, 2003 12:14 pm Post subject: |
|
|
"emerge firestarter" and let it generate a script for you. If contains all the modules to load and explains what each one does.
Firestarter is a great way to get started with iptables.
_________________
-- Fatcat |
|
| Back to top |
|
|
alkalinelito
Tux's lil' helper
Joined: 18 Jun 2002
Posts: 85
Location: Uruguay
|
| Posted: Fri May 30, 2003 2:20 pm Post subject: |
|
|
heheheh, no X
thanks anyway.
but the issue is not the firewall script .
is to know what each module does, and know what to load , to get file transfer , audio, video working , |
|
| Back to top |
|
|
fatcat.00
Tux's lil' helper
Joined: 12 Aug 2002
Posts: 145
|
| Posted: Sat May 31, 2003 1:54 am Post subject: |
|
|
Right, well the script generated by Firestarter adds comments about what each thing does, which is why I suggested it.
But, as you have no X...I suggest using one of the many firewall scripts out there, some of which are pretty documented. Try "monmotha" for example, http://monmotha.mplug.org/firewall/index.php
_________________
-- Fatcat |
|
| Back to top |
|
|
alkalinelito
Tux's lil' helper
Joined: 18 Jun 2002
Posts: 85
Location: Uruguay
|
| Posted: Sat May 31, 2003 12:30 pm Post subject: |
|
|
thanks for all the answer trying/reading
 |
|
| Back to top |
|
|
|
Networking & Security
