Ip_tables module in 2.6.21 not loading [SOLVED]

Message

ufoq · Post by **ufoq** » Thu Jul 26, 2007 11:57 am

Since yesterday I'm trying to get iptables in 2.6.21 to work. I've tried all the options in menuconfig, setting them to compile into kernel, make modules, and mixed.

Now situation is that when I try to modprobe ip_tables I receive:

FATAL: Error inserting ip_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/ipv4/netfilter/ip_tables.ko): Invalid module format

Here is my emerge --info :

Code: Select all

Portage 2.1.2.9 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.5-r4, 2.6.21-gento                                                                                      o-r4 i686)
=================================================================
System uname: 2.6.21-gentoo-r4 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 26 Jul 2007 06:20:01 +0000
dev-java/java-config: 1.2.11
dev-lang/python:     2.3.5-r2, 2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -O2 -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/fax /var/bind /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php4/ext-active/ /et                                                                                      c/php/apache1-php5/ext-active/ /etc/php/apache2-php4/ext-active/ /etc/php/apache                                                                                      2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ /                                                                                      etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /                                                                                      etc/terminfo"
CXXFLAGS="-march=athlon-xp -O2 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo http://                                                                                      linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ ftp://linux.rz.ruhr-uni-boch                                                                                      um.de/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://gentoo                                                                                      .zie.pg.gda.pl http://gentoo.po.opole.pl ftp://gentoo.po.opole.pl ftp://mirror.i                                                                                      cis.pcz.pl/gentoo/"
LINGUAS="pl"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress                                                                                       --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/di                                                                                      stfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="3dnow acl apache2 avi berkdb bitmap-fonts cli cracklib crypt cups dri dv en                                                                                      code fbcon fortran gd gdbm gpm iconv imap isdnlog libg++ maildir midi mmx mudfla                                                                                      p mysql ncurses nls nptl nptlonly openmp pam pcre perl pppd python qt readline r                                                                                      eflection samba session spl sse ssl tcpd truetype-fonts type1-fonts unicode user                                                                                      locales winbind x86 xorg xvid zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiix                                                                                      p-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801                                                                                       hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem y                                                                                      mfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug f                                                                                      ile hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate ro                                                                                      ute share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL                                                                                      ="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb n                                                                                      curses text" LINGUAS="pl" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix                                                                                       dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon r                                                                                      endition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l v                                                                                      esa vga via vmware voodoo"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTA                                                                                      GE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Rob1n · Post by **Rob1n** » Thu Jul 26, 2007 12:09 pm

Is there anything printed in dmesg about this? The error messages from modprobe tend to be rather unhelpful.

ufoq · Post by **ufoq** » Thu Jul 26, 2007 12:34 pm

ip_tables: exports duplicate symbol ipt_do_table (owned by kernel)

Rob1n · Post by **Rob1n** » Thu Jul 26, 2007 12:40 pm

Looks like you have iptables compiled into the kernel already. What does "iptables -L" give you?

ufoq · Post by **ufoq** » Thu Jul 26, 2007 12:41 pm

Rob1n wrote:Looks like you have iptables compiled into the kernel already. What does "iptables -L" give you?

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

This is without GShield running.
When it's loaded, i can't for example ping my internal network (Operation not permitted)....But i haven't changed anything in GShield configuration files.

Rob1n · Post by **Rob1n** » Thu Jul 26, 2007 12:49 pm

Yep - it's built into the kernel so the module must be leftover from a previous build. It may be worth removing the /lib/modules/2.6.21-gentoo-r4 directory and rerunning "make modules_install" from /usr/src/linux to clearup any other old modules.

ufoq · Post by **ufoq** » Thu Jul 26, 2007 1:35 pm

Hmm..
Gshield couple of seconds after starting is causing a Kernel Panic...

so I've typed in standard iptables example from Gentoo Handbook.
Now iptables -L gives me this:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023

Chain FORWARD (policy DROP)
target prot opt source destination
/etc/host.conf: line 24: bad command `mdns off'
DROP all -- anywhere 192.168.35.0/24
ACCEPT all -- 192.168.35.0/24 anywhere
ACCEPT all -- anywhere 192.168.35.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

But NAT doesn't work...

Rob1n · Post by **Rob1n** » Thu Jul 26, 2007 1:38 pm

What's the output of "iptables -t nat -L -n -v"?

ufoq · Post by **ufoq** » Thu Jul 26, 2007 1:41 pm

Rob1n wrote:What's the output of "iptables -t nat -L -n -v"?

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 58 packets, 5226 bytes)
pkts bytes target prot opt in out source destination
15 900 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 73 packets, 6126 bytes)
pkts bytes target prot opt in out source destination

Rob1n · Post by **Rob1n** » Thu Jul 26, 2007 1:43 pm

Well that looks okay, so exactly where is it going wrong? What are you trying to do using NAT that's failing?

ufoq · Post by **ufoq** » Thu Jul 26, 2007 1:45 pm

Rob1n wrote:Well that looks okay, so exactly where is it going wrong? What are you trying to do using NAT that's failing?

Just standard internet access, as before upgrading that freaking kernel....

Traceroute's stop on the gateway...

This is my lsmod:

Module Size Used by
ipt_MASQUERADE 2496 1
iptable_nat 6084 1
nf_nat 15020 2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 13580 2 iptable_nat
nf_conntrack 50776 4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
nfnetlink 4888 3 nf_nat,nf_conntrack_ipv4,nf_conntrack
snd_seq_oss 28672 0
snd_seq_midi_event 6144 1 snd_seq_oss
snd_seq 45392 4 snd_seq_oss,snd_seq_midi_event
snd_seq_device 6476 2 snd_seq_oss,snd_seq
snd_pcm_oss 38688 0
snd_pcm 69192 1 snd_pcm_oss
snd_timer 18948 2 snd_seq,snd_pcm
snd_page_alloc 7432 1 snd_pcm
snd_mixer_oss 14016 1 snd_pcm_oss
snd 43300 7 snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_pcm,snd_timer,snd_mixer_oss
i2c_nforce2 4672 0
i2c_core 17040 1 i2c_nforce2

Rob1n · Post by **Rob1n** » Thu Jul 26, 2007 1:58 pm

Ah - okay, looks like there's a problem with your forward rules then. What's the output of "iptables -L -n -v"?

ufoq · Post by **ufoq** » Thu Jul 26, 2007 2:00 pm

Rob1n wrote:Ah - okay, looks like there's a problem with your forward rules then. What's the output of "iptables -L -n -v"?

Chain INPUT (policy ACCEPT 1007 packets, 75957 bytes)
pkts bytes target prot opt in out source destination
64 5756 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2041 243K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
27 9112 REJECT udp -- !eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 reject-with icmp-port-unreachable
0 0 REJECT udp -- !eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 reject-with icmp-port-unreachable
31 2280 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
9 536 DROP tcp -- !eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023
547 66374 DROP udp -- !eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023

Chain FORWARD (policy DROP 910 packets, 44018 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth1 * 0.0.0.0/0 192.168.35.0/24
2823 142K ACCEPT all -- eth1 * 192.168.35.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 192.168.35.0/24

Chain OUTPUT (policy ACCEPT 2129 packets, 436K bytes)
pkts bytes target prot opt in out source destination

Rob1n · Post by **Rob1n** » Thu Jul 26, 2007 2:09 pm

It looks like you're missing the rules to accept responses to your outgoing traffic:

Code: Select all

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

ufoq · Post by **ufoq** » Fri Jul 27, 2007 6:47 am

Still doesn't work.......I have no clue what's wrong.

Included part of .config regarding Netfilter

Code: Select all

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NF_CONNTRACK_ENABLED=m
CONFIG_NF_CONNTRACK_SUPPORT=y
# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CT_PROTO_GRE=m
# CONFIG_NF_CT_PROTO_SCTP is not set
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
# CONFIG_NF_CONNTRACK_H323 is not set
CONFIG_NF_CONNTRACK_IRC=m
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
CONFIG_NF_CONNTRACK_PPTP=m
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
CONFIG_NF_CONNTRACK_TFTP=m
# CONFIG_NF_CT_NETLINK is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m

#
# IP: Netfilter Configuration
#
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
# CONFIG_NF_NAT_SNMP_BASIC is not set
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_PPTP=m
# CONFIG_NF_NAT_H323 is not set
# CONFIG_NF_NAT_SIP is not set
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m

Rob1n · Post by **Rob1n** » Fri Jul 27, 2007 7:50 am

Which modules are actually loaded? Can you post the output of "lsmod"?

ufoq · Post by **ufoq** » Fri Jul 27, 2007 8:20 am

Situation for now:

1. I've applied .config options suggested here:

http://groups.google.co.uk/group/linux. ... 7409f80c10

2. after 'make clean bzImage modules install modules_install', and rebooting, and trying to launch 'modprobe ip_tables' or 'modprobe x_tables' we have:
WARNING: Error inserting x_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/netfilter/x_tables.ko): Invalid module format
FATAL: Error inserting ip_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/ipv4/netfilter/ip_tables.ko): Invalid module format

Which give us details in dmesg:

x_tables: exports duplicate symbol xt_free_table_info (owned by kernel)
ip_tables: exports duplicate symbol ipt_do_table (owned by kernel)

And ip_tables won't load.

I have to mention, that I've updated the kernel from version 2.6.11, including new headers, new gcc and glibc.

Ah, and lsmod:

Module Size Used by
ipt_MASQUERADE 2496 1
xt_state 1984 2
iptable_nat 6084 1
nf_nat 15020 2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 13324 4 iptable_nat
nf_conntrack 48648 5 ipt_MASQUERADE,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nfnetlink 4888 3 nf_nat,nf_conntrack_ipv4,nf_conntrack
snd_seq_oss 28672 0
snd_seq_midi_event 6144 1 snd_seq_oss
snd_seq 45392 4 snd_seq_oss,snd_seq_midi_event
snd_seq_device 6476 2 snd_seq_oss,snd_seq
snd_pcm_oss 38688 0
snd_pcm 69192 1 snd_pcm_oss
snd_timer 18948 2 snd_seq,snd_pcm
snd_page_alloc 7432 1 snd_pcm
snd_mixer_oss 14016 1 snd_pcm_oss
snd 43300 7 snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_pcm,snd_timer,snd_mixer_oss
i2c_nforce2 4672 0
i2c_core 17040 1 i2c_nforce2

Rob1n · Post by **Rob1n** » Fri Jul 27, 2007 8:44 am

ufoq wrote:Situation for now:

1. I've applied .config options suggested here:

http://groups.google.co.uk/group/linux. ... 7409f80c10

Okay - looks reasonable.

2. after 'make clean bzImage modules install modules_install', and rebooting, and trying to launch 'modprobe ip_tables' or 'modprobe x_tables' we have:
WARNING: Error inserting x_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/netfilter/x_tables.ko): Invalid module format
FATAL: Error inserting ip_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/ipv4/netfilter/ip_tables.ko): Invalid module format

Which give us details in dmesg:

x_tables: exports duplicate symbol xt_free_table_info (owned by kernel)
ip_tables: exports duplicate symbol ipt_do_table (owned by kernel)

And ip_tables won't load.

These are both built-in to the kernel so won't load. To clean up any redundant modules I'd suggest doing:

Code: Select all

rm -rf /lib/modules/2.6.21-gentoo-r4
cd /usr/src/linux
make modules_install

The modules all look okay. Can you post the iptables rules you're actually applying?

ufoq · Post by **ufoq** » Fri Jul 27, 2007 8:47 am

These are both built-in to the kernel so won't load. To clean up any redundant modules I'd suggest doing:
Code: Select all
rm -rf /lib/modules/2.6.21-gentoo-r4
cd /usr/src/linux
make modules_install

I've done this couple of times. Did it now, with no effect.

The modules all look okay. Can you post the iptables rules you're actually applying?

Sure:

Code: Select all

iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
export LAN=eth1
export WAN=eth0
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#iptables -I FORWARD -i ${LAN} -d 192.168.35.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.35.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.35.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

/etc/init.d/iptables save
/etc/init.d/iptables reload

Rob1n · Post by **Rob1n** » Fri Jul 27, 2007 9:28 am

ufoq wrote:
These are both built-in to the kernel so won't load. To clean up any redundant modules I'd suggest doing:
Code: Select all
rm -rf /lib/modules/2.6.21-gentoo-r4
cd /usr/src/linux
make modules_install
I've done this couple of times. Did it now, with no effect.

You shouldn't be able to "modprobe ip_tables" now - it should report that the module is not found. If you're still getting the same error message as before then you're not actually running your new kernel - you need to check where your /boot/grub/grub.conf file is pointing.

The rules look okay to me. All I can suggest is adding some logging rules to try to track down where things are going wrong:

Code: Select all

iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

export LAN=eth1
export WAN=eth0
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j LOG --log-prefix REJECT_BOOTPS
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j LOG --log-prefix REJECT_DOMAIN
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j LOG --log-prefix DROP_TCP
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j LOG --log-prefix DROP_UDP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#iptables -I FORWARD -i ${LAN} -d 192.168.35.0/255.255.255.0 -j LOG --log-prefix DROP_LAN
#iptables -I FORWARD -i ${LAN} -d 192.168.35.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.35.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.35.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j LOG --log DROP_FORWARD

echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

/etc/init.d/iptables save
/etc/init.d/iptables reload

This should log all dropped/rejected packets to the system log. This should at least make it clear which rule is causing the problem.

ufoq · Post by **ufoq** » Fri Jul 27, 2007 9:32 am

Everything works now....

I don't know why, but I've had \boot folder on the main partition, to which I was installing kernel
After I saw no grub subfolder, I mounted \boot from real boot partition, installed kernel and voila...

I'm officially the most stupid person using Gentoo

Rob1n - many thanx for your help, I owe you one.

Rob1n · Post by **Rob1n** » Fri Jul 27, 2007 9:35 am

What are the results of "ls -l /boot" and "cat /boot/grub/grub.conf"?

ufoq · Post by **ufoq** » Fri Jul 27, 2007 9:43 am

Rob1n wrote:What are the results of "ls -l /boot" and "cat /boot/grub/grub.conf"?

Already thought of it. It was the clue.

Rob1n · Post by **Rob1n** » Fri Jul 27, 2007 9:48 am

ufoq wrote:Everything works now....

I don't know why, but I've had \boot folder on the main partition, to which I was installing kernel
After I saw no grub subfolder, I mounted \boot from real boot partition, installed kernel and voila...

I'm officially the most stupid person using Gentoo

Rob1n - many thanx for your help, I owe you one.

Hehe - don't worry, I've done the same thing myself many times (and forgotten to mount the /boot partition before emerging a grub update).