Re: [gentoo-user] Useless error messages from iptables-restore

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

* Re: [gentoo-user] Useless error messages from iptables-restore
       [not found] <20070501205054.GA6291@waltdnes.org>
@ 2007-05-02  2:38 ` waltdnes
  2007-05-02  8:43   ` Benno Schulenberg
  2007-05-02  8:53   ` Hans-Werner Hilse
  0 siblings, 2 replies; 3+ messages in thread
From: waltdnes @ 2007-05-02  2:38 UTC (permalink / raw
  To: Gentoo Users List

On Tue, May 01, 2007 at 04:50:54PM -0400, waltdnes@waltdnes.org wrote

>   RTFM didn't find anything useful and I know the rules worked before.
> Help.

  For what it's worth, I'm running linux-2.6.20-gentoo-r7 on the Dell.

  I went and did it "the hard way".  I started by commenting out almost
everything.  Then I uncommented one chain at a time until I ran into an
error.  Then I commented out one rule at the end until the error
disappeared.  I found two sets of problems...

1) The working ruleset (on my main machine), starts off with...
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
:DROP_LOG
:ICMP_IN
:PRIVATE
:PRIVATE_LOG
:TCP_IN
:UDP_IN
:UNSOLICITED

  Seems that the latest version does not like my own chains being
declared this way.  I got rid of the first batch of errors by switching
the rules to...
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-F
-X
-N DROP_LOG
-N ICMP_IN
-N PRIVATE
-N PRIVATE_LOG
-N TCP_IN
-N UDP_IN
-N UNSOLICITED

   The final remaining problem is with the 3 statements scattered
through the rules...

-A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED
-A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED
-A UDP_IN -p udp -m state --state NEW -j UNSOLICITED

   This works on the main system, with a slightly older kernel.  On the
Dell, running 2.6.20-r7, I have a whole bunch of stuff enabled in the
kernel, including...

[*] Network packet filtering framework (Netfilter)  --->
<*> Netfilter Xtables support (required for ip_tables)

Core Netfilter Configuration  --->
<*> Netfilter Xtables support (required for ip_tables)
<*>   "conntrack" connection tracking match support
<*>   "state" match support 

IP: Netfilter Configuration  --->
<*> IP tables support (required for filtering/masq/NAT)
<*>   Packet filtering

   In case someone's wondering... I don't want/need router
functionality.  I don't want/need NATing functionality.  I don't
want/need mangling or QOS or other fancy stuff.  I just want a stinking
firewall.  What is the minimum I need to enable to get the above 3
statements to work?

-- 
Walter Dnes <waltdnes@waltdnes.org> In linux /sbin/init is Job #1
Q. Mr. Ghandi, what do you think of Microsoft security?
A. I think it would be a good idea.
-- 
gentoo-user@gentoo.org mailing list

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-user] Useless error messages from iptables-restore
  2007-05-02  2:38 ` [gentoo-user] Useless error messages from iptables-restore waltdnes
@ 2007-05-02  8:43   ` Benno Schulenberg
  2007-05-02  8:53   ` Hans-Werner Hilse
  1 sibling, 0 replies; 3+ messages in thread
From: Benno Schulenberg @ 2007-05-02  8:43 UTC (permalink / raw
  To: gentoo-user

waltdnes@waltdnes.org wrote:
>    The final remaining problem is with the 3 statements scattered
> through the rules...
>
> -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED
> -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED
> -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED

The "-m tcp" is a typo, yes?

The setting you might me missing is CONFIG_NF_CONNTRACK_IPV4=y.
Grep through your .config and compare:

# grep ^CONF /usr/src/linux/.config | grep -e _NF -e NETFILTER
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_NF_CONNTRACK_ENABLED=y
CONFIG_NF_CONNTRACK_SUPPORT=y
CONFIG_NF_CONNTRACK=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_NF_NAT=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y

Benno
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-user] Useless error messages from iptables-restore
  2007-05-02  2:38 ` [gentoo-user] Useless error messages from iptables-restore waltdnes
  2007-05-02  8:43   ` Benno Schulenberg
@ 2007-05-02  8:53   ` Hans-Werner Hilse
  1 sibling, 0 replies; 3+ messages in thread
From: Hans-Werner Hilse @ 2007-05-02  8:53 UTC (permalink / raw
  To: gentoo-user

Hi,

On Tue, 1 May 2007 22:38:27 -0400 waltdnes@waltdnes.org wrote:

>    The final remaining problem is with the 3 statements scattered
> through the rules...
> 
> -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED
> -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED
> -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED

Hm, do your other rules use connection state matching?

>    This works on the main system, with a slightly older kernel.  On
> the Dell, running 2.6.20-r7, I have a whole bunch of stuff enabled in
> the kernel, including...
> [...]

I'd suggest to enable all netfilter options -- as modules. Then see
which of them are being loaded when you restore your rules and then
according to that trim down your kernel configuration again.

My suspicion would be you're missing connectioin state matching support.

-hwh
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2007-05-02  8:59 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20070501205054.GA6291@waltdnes.org>
2007-05-02  2:38 ` [gentoo-user] Useless error messages from iptables-restore waltdnes
2007-05-02  8:43   ` Benno Schulenberg
2007-05-02  8:53   ` Hans-Werner Hilse

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox