[gentoo-user] iptables

[gentoo-user] iptables

[Dave]

Hello,
	I'm looking for a guide for iptables specifically for gentoo 2.6.
	I was also wondering if anyone was using apf "Advanced Policy
Firewall" on a gentoo 2008.0 2.6 machine?
Thanks.
Dave.

Re: [gentoo-user] iptables

[Marco]

Hi Dave,

this one is rather informative:

http://www.novell.com/coolsolutions/feature/18139.html

Also, this one from gentoo (although for 2.4) is worth reading:

http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml

HTH!

--
Regards,
 Marco



On Thu, Jul 16, 2009 at 5:32 AM, Dave<dave.mehler@gmail.com> wrote:
> Hello,
>        I'm looking for a guide for iptables specifically for gentoo 2.6.
>        I was also wondering if anyone was using apf "Advanced Policy
> Firewall" on a gentoo 2008.0 2.6 machine?
> Thanks.
> Dave.
>
>
>

Re: [gentoo-user] iptables

[Marco]

Maybe this thread could be helpful as well:

http://marc.info/?l=gentoo-user&m=124058693215810&w=2

--
Regards,
 Marco


On Thu, Jul 16, 2009 at 10:41 AM, Marco<listworks@gmail.com> wrote:
> Hi Dave,
>
> this one is rather informative:
>
> http://www.novell.com/coolsolutions/feature/18139.html
>
> Also, this one from gentoo (although for 2.4) is worth reading:
>
> http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml
>
> HTH!
>
> --
> Regards,
>  Marco
>
>
>
> On Thu, Jul 16, 2009 at 5:32 AM, Dave<dave.mehler@gmail.com> wrote:
>> Hello,
>>        I'm looking for a guide for iptables specifically for gentoo 2.6.
>>        I was also wondering if anyone was using apf "Advanced Policy
>> Firewall" on a gentoo 2008.0 2.6 machine?
>> Thanks.
>> Dave.
>>
>>
>>
>

Re: [gentoo-user] iptables

[Alejandro]

[-- Attachment #1: Type: text/plain, Size: 1029 bytes --]

2009/7/16 Marco <listworks@gmail.com>

> Maybe this thread could be helpful as well:
>
> http://marc.info/?l=gentoo-user&m=124058693215810&w=2
>
> --
> Regards,
>  Marco
>
>
> On Thu, Jul 16, 2009 at 10:41 AM, Marco<listworks@gmail.com> wrote:
> > Hi Dave,
> >
> > this one is rather informative:
> >
> > http://www.novell.com/coolsolutions/feature/18139.html
> >
> > Also, this one from gentoo (although for 2.4) is worth reading:
> >
> > http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml
> >
> > HTH!
> >
> > --
> > Regards,
> >  Marco
> >
> >
> >
> > On Thu, Jul 16, 2009 at 5:32 AM, Dave<dave.mehler@gmail.com> wrote:
> >> Hello,
> >>        I'm looking for a guide for iptables specifically for gentoo 2.6.
> >>        I was also wondering if anyone was using apf "Advanced Policy
> >> Firewall" on a gentoo 2008.0 2.6 machine?
> >> Thanks.
> >> Dave.
> >>
> >>
> >>
> >
>
>   I use APF, for all my desktop/servers with debian and gentoo, is quite
easy and works great. In 10' you have iptables running.

[-- Attachment #2: Type: text/html, Size: 1998 bytes --]

Re: [gentoo-user] iptables

[Nevynxxx]

[-- Attachment #1.1: Type: text/plain, Size: 718 bytes --]

Alejandro wrote:
>
>     > On Thu, Jul 16, 2009 at 5:32 AM, Dave<dave.mehler@gmail.com
>     <mailto:dave.mehler@gmail.com>> wrote:
>     >> Hello,
>     >>        I'm looking for a guide for iptables specifically for
>     gentoo 2.6.
>     >>        I was also wondering if anyone was using apf "Advanced
>     Policy
>     >> Firewall" on a gentoo 2008.0 2.6 machine?
>     >> Thanks.
>     >> Dave.
>     >>
>     >>
>     >>
>     >
>
>   I use APF, for all my desktop/servers with debian and gentoo, is
> quite easy and works great. In 10' you have iptables running.

I tend to just use webmin. Emerge iptables, emerge webmin, and get a
nice easy to follow GUI that sets up the iptables.


[-- Attachment #1.2: Type: text/html, Size: 1447 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

[gentoo-user] Re: iptables

[James]

Alejandro <elcorreodeale <at> gmail.com> writes:



>   I use APF, for all my desktop/servers with debian and gentoo, 
> is quite easy and works great. In 10' you have iptables running.

Interesting. I usually hack my rule by hand, as I like to learn
as much about iptables and the ever changing kernel interaction
issues. Particularly, I'm experimenting with embedded and very
light weight fire hardware (586 processors).


Do you think APF will allow me to use it's front end (gui) to build
the raw iptable files and then go into them manually, make
edits and changes, and load them manually onto a variety of 
light_weight linux servers and firewall.


Most of the frontend (gui) systems to iptables, do not simple write
out, either the rules one needs.
/var/lib/iptables/rules-save file contains a form of the rules
or better yet, a front end that just generate raw rules in 
iptable format that I can read and add to my /etc script?


var/lib/iptables/rules-save 
first few  rules looks like this:


:INPUT DROP [44:2925]
:FORWARD ACCEPT [117727109:41814106432]
:OUTPUT ACCEPT [75971:11854908]
[8913:443731] -A INPUT -p tcp -m tcp --dport 445 -j DROP
[2629:133240] -A INPUT -p tcp -m tcp --dport 139 -j DROP
[9578:481396] -A INPUT -p tcp -m tcp --dport 135 -j DROP
[1174:49600] -A INPUT -p tcp -m tcp --dport 1433 -j DROP
[23160:1195298] -A INPUT -p tcp -m tcp --dport 25 -j DROP
[198:9532] -A INPUT -p tcp -m tcp --dport 4899 -j DROP
[160198:18547126] -A INPUT -i ! eth2 -j ACCEPT



The corresponding rules from my script look like this:

iptables="/sbin/iptables"   
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -X
$iptables --flush
$iptables -t nat --flush
$iptables -t mangle --flush
$iptables -X
$iptables -t nat -X
$iptables -t mangle -X
$iptables --policy INPUT   ACCEPT
$iptables --policy OUTPUT  ACCEPT
$iptables --policy FORWARD ACCEPT
$iptables -t nat --policy PREROUTING  ACCEPT
$iptables -t nat --policy OUTPUT ACCEPT
$iptables -t nat --policy POSTROUTING ACCEPT
$iptables -t mangle --policy PREROUTING ACCEPT
$iptables -t mangle --policy OUTPUT ACCEPT


Im looking for a gui front end to iptables that generates
the rules in a format you can put directly into a script.

Does ADF do this?

Any other package?


James

[gentoo-user] IPTABLES

[siefke_listen]

[-- Attachment #1: Type: text/plain, Size: 495 bytes --]

Hello,

i try to run iptables, block bad ips and close the system. 

I want run firewall which block all INPUT, only ALLOW services i defined.
Ipset want to use to block spam ips, make it sure awesome as ever set rules 
manuell.

Im not so sure is okay, i has try and read but at end often i kick me out
from rootserver. So better ask what say profis of Gentoo. 

The Firewall Script > http://pastebin.com/b3305i41


Thank you for help & Nice Day
----------------
Silvio Siefke

[-- Attachment #2: Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] IPTABLES

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 2284 bytes --]

Hi,

On Tue, 22 Dec 2015 22:45:12 +0100 siefke_listen@web.de wrote:
> i try to run iptables, block bad ips and close the system. 
> 
> I want run firewall which block all INPUT, only ALLOW services i defined.
> Ipset want to use to block spam ips, make it sure awesome as ever set rules 
> manuell.
> 
> Im not so sure is okay, i has try and read but at end often i kick me out
> from rootserver. So better ask what say profis of Gentoo. 
> 
> The Firewall Script > http://pastebin.com/b3305i41

I recommend you to read a good tutorial first, e.g. this one:
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

It is a bit old and isn't an ultimate description of all
iptables features (you have manuals for that), but will give you a
good understanding of how packet flow works and how they should be
processed.

I see three main problems with your current rules:

1. ESTABLISHED,RELATED packets are not accepted in the INPUT. You
will have legitimate traffic blocked because of that.

2. Rules are vulnerable to SYN/ACK attack (see manual above on how
to fix this). FORWARDed traffic is not protected at all (are tun+
interfaces completely trusted?).

3. Rules are far from being optimal, e.g. instead of having many
enrtries for each accepted port, you can write just two rules
using multiport target: one for tcp and another one for udp. These
way your rules will be much faster. Also you should consider proper
ordering of rules: those with higher hit rate should go first if
this doesn't impact security scheme.

There are minor issues of course, like blacklist check late on the
rules (it should come one of the first, otherwise blacklisted hosts
will be allowed to connect your open services).

For remote debugging I recommend a small script like:
./iptables-current; sleep 1m; iptables-good

where iptables-current is the script with your current rules you
want to test and iptables-good are tested rules which work for you.
This way if you'll screw up with current rules and remote control
well be lost, in a minute good old rules will be applied. Of
course, you should terminate this command with ^C if new rules are
good, so that old ones will not be fired in a minute.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] IPTABLES

[siefke_listen]

[-- Attachment #1: Type: text/plain, Size: 431 bytes --]

Hello,

On Thu, 24 Dec 2015 15:11:55 +0300 Andrew Savchenko
<bircoph@gentoo.org> wrote:

> ...
> It is a bit old and isn't an ultimate description of all
> iptables features (you have manuals for that), but will give you a
> good understanding of how packet flow works and how they should be
> processed.
> ...

thank you for your information, now i know more where i am. 


Silvio
----------------
Silvio Siefke

[-- Attachment #2: Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] IPTABLES

[lee]

"siefke_listen@web.de" <siefke_listen@web.de> writes:

> Hello,
>
> i try to run iptables, block bad ips and close the system. 
>
> I want run firewall which block all INPUT, only ALLOW services i defined.
> Ipset want to use to block spam ips, make it sure awesome as ever set rules 
> manuell.

After reading a good iptables tutorial, you may want to take a look at
shorewall and it's documentation.

If you're referring to IP addresses from which you receive emails that
are spam, I'd recommend getting familiar with exim and perhaps
spamassassin.  For extreme cases, you might want to use something like
fail2ban.

[gentoo-user] Iptables

[Fabrício L. Ribeiro]

How can I install and run iptables (with conntrack and all other
modules) in a Gentoo 2006.1 box with kernel generated by genkernel?

I tried "emerge iptables", but when I type "iptables -F" I get
something like this:

FATAL: Module ip_tables not found.
iptables v1.3.5: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Thanks!

-- 
FABRÍCIO L. RIBEIRO

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Iptables

[Daniel Pielmeier]

> How can I install and run iptables (with conntrack and all other
> modules) in a Gentoo 2006.1 box with kernel generated by genkernel?
>
> I tried "emerge iptables", but when I type "iptables -F" I get
> something like this:
>
> FATAL: Module ip_tables not found.
> iptables v1.3.5: can't initialize iptables table `filter': iptables
> who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.

Hm, did you start the iptables init-script, i think it loads the
necessary modules!
-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] Iptables

[Nelson, David (ED, PAR&D)]

>-----Original Message-----
>From: Fabrício L. Ribeiro [mailto:flribeiro@gmail.com]
>Sent: 18 January 2007 15:59
>To: gentoo-user@lists.gentoo.org
>Subject: [gentoo-user] Iptables
>
>
>How can I install and run iptables (with conntrack and all other
>modules) in a Gentoo 2006.1 box with kernel generated by genkernel?
>
>I tried "emerge iptables", but when I type "iptables -F" I get
>something like this:
>
>FATAL: Module ip_tables not found.
>iptables v1.3.5: can't initialize iptables table `filter': iptables
>who? (do you need to insmod?)
>Perhaps iptables or your kernel needs to be upgraded.
>
>Thanks!

http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

That is the *first* result if you google for 'Gentoo Iptables'.
http://www.google.co.uk/search?q=gentoo+iptables&ie=utf-8&oe=utf-8&rls=org.mozilla:en-GB:official&client=firefox-a

djn

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Iptables

[Alan McKinnon]

On Thursday 18 January 2007 17:58, Fabrício L. Ribeiro wrote:
> How can I install and run iptables (with conntrack and all other
> modules) in a Gentoo 2006.1 box with kernel generated by genkernel?
>
> I tried "emerge iptables", but when I type "iptables -F" I get
> something like this:
>
> FATAL: Module ip_tables not found.
> iptables v1.3.5: can't initialize iptables table `filter': iptables
> who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.

genkernel uses a standard .config the first time you use it on a kernel 
version. In the kernel sources, all the netfilter options are disabled 
by default, and you MUST enable them via menuconfig.

Did you perhaps omit this step?

alan


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Iptables

[Pete Pardoe]

[-- Attachment #1: Type: text/plain, Size: 1145 bytes --]

Alan

IPTables support must be compiled into the kernel.  I am not in front of my
gentoo system so cannot help you find the location in "make menuconfig"  but
if you poke around you should be able to locate it.

Pete

On 1/19/07, Alan McKinnon <alan@linuxholdings.co.za> wrote:
>
> On Thursday 18 January 2007 17:58, Fabrício L. Ribeiro wrote:
> > How can I install and run iptables (with conntrack and all other
> > modules) in a Gentoo 2006.1 box with kernel generated by genkernel?
> >
> > I tried "emerge iptables", but when I type "iptables -F" I get
> > something like this:
> >
> > FATAL: Module ip_tables not found.
> > iptables v1.3.5: can't initialize iptables table `filter': iptables
> > who? (do you need to insmod?)
> > Perhaps iptables or your kernel needs to be upgraded.
>
> genkernel uses a standard .config the first time you use it on a kernel
> version. In the kernel sources, all the netfilter options are disabled
> by default, and you MUST enable them via menuconfig.
>
> Did you perhaps omit this step?
>
> alan
>
>
> --
> gentoo-user@gentoo.org mailing list
>
>


-- 
Pete Pardoe

[-- Attachment #2: Type: text/html, Size: 1579 bytes --]

Re: [gentoo-user] Iptables

[Fabrício L. Ribeiro]

People,

The response is in Nelson's mail.

Thanks Nelson and thanks to all.

On 1/19/07, Pete Pardoe <pete.pardoe@gmail.com> wrote:
> Alan
>
> IPTables support must be compiled into the kernel.  I am not in front of my
> gentoo system so cannot help you find the location in "make menuconfig"  but
> if you poke around you should be able to locate it.
>
> Pete
>
>
> On 1/19/07, Alan McKinnon <alan@linuxholdings.co.za> wrote:
> > On Thursday 18 January 2007 17:58, Fabrício L. Ribeiro wrote:
> > > How can I install and run iptables (with conntrack and all other
> > > modules) in a Gentoo 2006.1 box with kernel generated by genkernel?
> > >
> > > I tried "emerge iptables", but when I type "iptables -F" I get
> > > something like this:
> > >
> > > FATAL: Module ip_tables not found.
> > > iptables v1.3.5: can't initialize iptables table `filter': iptables
> > > who? (do you need to insmod?)
> > > Perhaps iptables or your kernel needs to be upgraded.
> >
> > genkernel uses a standard .config the first time you use it on a kernel
> > version. In the kernel sources, all the netfilter options are disabled
> > by default, and you MUST enable them via menuconfig.
> >
> > Did you perhaps omit this step?
> >
> > alan
> >
> >
> > --
> > gentoo-user@gentoo.org mailing list
> >
> >
>
>
>
> --
> Pete Pardoe


-- 
FABRÍCIO L. RIBEIRO
===================
[icq: 66770900]
[e-mail, gtalk e msn: flribeiro@gmail.com]
[blog: http://opalavrorio.blogspot.com]

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables

[John Dangler]

I emerged firestarter (during which I got iptables), and forgot that I
didn't have iptables emerged prior.  I went into the kernel and selected (as
the doc I found suggests) all of the options as modules under iptables. (The
doc also says that if they are compiled as modules, I didn't need to
reboot).
I did add iptables to /etc/modules.autoload.d/kernel-2.6 (for subsequent
rebooting).

modprobe ip_tables results in:
FATAL: Error inserting ip_tables
(/lib/modules/2.6.12-gentoo-r9/kernel/net/ipv4/netfilter/ip_tables.ko):
Unknown symbol in module, or unknown parameter.

dmesg produces - 
ip_tables: disagrees about version of symbol skb_copy_files
ip_tables: Unknow symbol skb_copy_bits
ip_tables: Unknown symbol nf_register_sockopt
ip_tables: ip_tables: Unknown symbol nf_unregister_sockopt
ip_tables: Unknown symbol nf_unregister_sockopt

(I just found another doc that says to ONLY modprobe IF you haven't built
this as a module)
DOH!

I went back into the kernel config and removed all but the essential options
for iptables... (just iptables module) and rebuilt the kernel

A reboot (aside from losing my wireless), produced an error on boot loading
iptables.
no other text in dmesg points to the problem.

John D




-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

[Holly Bostick]

John Dangler schreef:
> I emerged firestarter (during which I got iptables), and forgot that I
> didn't have iptables emerged prior.  I went into the kernel and selected (as
> the doc I found suggests) 


Oh, John, to hell with "the doc you found" (which look to be from the
Wiki). No offense to the wiki (or to you), but you're really
overcomplicating this. You're probably better off with the Firestarter
docs found here

http://www.fs-security.com/docs/kernel.php

which are complete, and clear, and designed to work with the Firestarter
front end.... you know, "official docs"...? :)


Holly
-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] iptables

[John Dangler]

Holly~
The Firestarter kernel requirements doc says - 

*Device drivers 
	*Networking support [y]
		*Networking support 
			*Networking options 
				*Network packet filtering [y]
					*Network packet filtering 
						IP: Netfilter Configuration
(*)

"We recommend you enable _everything_ except ipchains support and ipfwadm
support as modules under this menu"

In case I did something out to bork this myself, I'm going to unmerge
firestarter and iptables, rebuild the kernel into the state it was before
this started (genkernel --kernel-config=my.old.config all), emerge iptables
(instead of letting firestarter emerge do it), make sure that iptables loads
up ok, then emerge firestarter and configure it.  That way, I can be sure
that it's not me just getting in a hurry to install a package...


John Dangler
GenoFit
800-505-4078 (Corporate)
386-767-3730 (Direct)
866-273-0408 (Fax)
www.genofit.com
jdangler@genofit.com
 

-----Original Message-----
From: Holly Bostick [mailto:motub@planet.nl] 
Sent: Monday, August 29, 2005 9:32 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] iptables

John Dangler schreef:
> I emerged firestarter (during which I got iptables), and forgot that I
> didn't have iptables emerged prior.  I went into the kernel and selected
(as
> the doc I found suggests) 


Oh, John, to hell with "the doc you found" (which look to be from the
Wiki). No offense to the wiki (or to you), but you're really
overcomplicating this. You're probably better off with the Firestarter
docs found here

http://www.fs-security.com/docs/kernel.php

which are complete, and clear, and designed to work with the Firestarter
front end.... you know, "official docs"...? :)


Holly
-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] iptables

[John Dangler]

ok.  I got a clean kernel and removed iptables and firestarter. I then went
into the kernel config and _only_ turned on iptable support as a module, and
ran modules-update.  all looks ok.  Rebooting the kernel, however, I get
this in dmesg - 
ipw2100: disagrees about version of symbol per_cpu__softnet_data
ipw2100: no version for "ieee80211_get_crypto_ops" found: kernel tainted.
(a whole lot of these messages listing what appears to be every symbol in
the ipw2100 module)...
then -
ieee80211: disagrees about version of symbol per_cpu__softnet_data
ieee80211: Unknown symbol per_cpu__softnet_data.
(a whole lot of these messages listing what appears to be every symbol in
the ieee80211 module)...
then -
ieee80211_crypt_wep: disagrees about version of symbol ___pskb_trim
ieee80211_crypt_wep: Unknown symbol ___pskb_trim.
(a whole lot of these messages listing what appears to be every symbol in
the ieee80211_crypt_wep module)...

It appears that the version of ipw2100 and/or ieee80211 in portage (stable)
clashes with the version of iptables in portage (stable).

So, either I can have wireless or security...

John D


-----Original Message-----
From: John Dangler [mailto:jdangler@atlantic.net] 
Sent: Monday, August 29, 2005 10:36 PM
To: gentoo-user@lists.gentoo.org
Subject: RE: [gentoo-user] iptables

Holly~
The Firestarter kernel requirements doc says - 

*Device drivers 
	*Networking support [y]
		*Networking support 
			*Networking options 
				*Network packet filtering [y]
					*Network packet filtering 
						IP: Netfilter Configuration
(*)

"We recommend you enable _everything_ except ipchains support and ipfwadm
support as modules under this menu"

In case I did something out to bork this myself, I'm going to unmerge
firestarter and iptables, rebuild the kernel into the state it was before
this started (genkernel --kernel-config=my.old.config all), emerge iptables
(instead of letting firestarter emerge do it), make sure that iptables loads
up ok, then emerge firestarter and configure it.  That way, I can be sure
that it's not me just getting in a hurry to install a package...


John Dangler
GenoFit
800-505-4078 (Corporate)
386-767-3730 (Direct)
866-273-0408 (Fax)
www.genofit.com
jdangler@genofit.com
 

-----Original Message-----
From: Holly Bostick [mailto:motub@planet.nl] 
Sent: Monday, August 29, 2005 9:32 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] iptables

John Dangler schreef:
> I emerged firestarter (during which I got iptables), and forgot that I
> didn't have iptables emerged prior.  I went into the kernel and selected
(as
> the doc I found suggests) 


Oh, John, to hell with "the doc you found" (which look to be from the
Wiki). No offense to the wiki (or to you), but you're really
overcomplicating this. You're probably better off with the Firestarter
docs found here

http://www.fs-security.com/docs/kernel.php

which are complete, and clear, and designed to work with the Firestarter
front end.... you know, "official docs"...? :)


Holly
-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] iptables

[John Dangler]

yep. it's a bug.  As soon as I remove iptables from the kernel config,
ipw2100,ieee80211_crypt_tkip, ieee80211_crypt_ccmp, ieee80211_crypt_wep,
ieee80211 all show up fine in lsmod.  no dmesg errors, and eth1 (wireless)
shows up fine.  Off to bugz to log this.

John D
 

-----Original Message-----
From: John Dangler [mailto:jdangler@atlantic.net] 
Sent: Monday, August 29, 2005 11:36 PM
To: gentoo-user@lists.gentoo.org
Subject: RE: [gentoo-user] iptables

ok.  I got a clean kernel and removed iptables and firestarter. I then went
into the kernel config and _only_ turned on iptable support as a module, and
ran modules-update.  all looks ok.  Rebooting the kernel, however, I get
this in dmesg - 
ipw2100: disagrees about version of symbol per_cpu__softnet_data
ipw2100: no version for "ieee80211_get_crypto_ops" found: kernel tainted.
(a whole lot of these messages listing what appears to be every symbol in
the ipw2100 module)...
then -
ieee80211: disagrees about version of symbol per_cpu__softnet_data
ieee80211: Unknown symbol per_cpu__softnet_data.
(a whole lot of these messages listing what appears to be every symbol in
the ieee80211 module)...
then -
ieee80211_crypt_wep: disagrees about version of symbol ___pskb_trim
ieee80211_crypt_wep: Unknown symbol ___pskb_trim.
(a whole lot of these messages listing what appears to be every symbol in
the ieee80211_crypt_wep module)...

It appears that the version of ipw2100 and/or ieee80211 in portage (stable)
clashes with the version of iptables in portage (stable).

So, either I can have wireless or security...

John D


-----Original Message-----
From: John Dangler [mailto:jdangler@atlantic.net] 
Sent: Monday, August 29, 2005 10:36 PM
To: gentoo-user@lists.gentoo.org
Subject: RE: [gentoo-user] iptables

Holly~
The Firestarter kernel requirements doc says - 

*Device drivers 
	*Networking support [y]
		*Networking support 
			*Networking options 
				*Network packet filtering [y]
					*Network packet filtering 
						IP: Netfilter Configuration
(*)

"We recommend you enable _everything_ except ipchains support and ipfwadm
support as modules under this menu"

In case I did something out to bork this myself, I'm going to unmerge
firestarter and iptables, rebuild the kernel into the state it was before
this started (genkernel --kernel-config=my.old.config all), emerge iptables
(instead of letting firestarter emerge do it), make sure that iptables loads
up ok, then emerge firestarter and configure it.  That way, I can be sure
that it's not me just getting in a hurry to install a package...


John Dangler
GenoFit
800-505-4078 (Corporate)
386-767-3730 (Direct)
866-273-0408 (Fax)
www.genofit.com
jdangler@genofit.com
 

-----Original Message-----
From: Holly Bostick [mailto:motub@planet.nl] 
Sent: Monday, August 29, 2005 9:32 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] iptables

John Dangler schreef:
> I emerged firestarter (during which I got iptables), and forgot that I
> didn't have iptables emerged prior.  I went into the kernel and selected
(as
> the doc I found suggests) 


Oh, John, to hell with "the doc you found" (which look to be from the
Wiki). No offense to the wiki (or to you), but you're really
overcomplicating this. You're probably better off with the Firestarter
docs found here

http://www.fs-security.com/docs/kernel.php

which are complete, and clear, and designed to work with the Firestarter
front end.... you know, "official docs"...? :)


Holly
-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

[Hans-Werner Hilse]

Hi,

On Tue, 30 Aug 2005 00:54:47 -0400
"John Dangler" <jdangler@atlantic.net> wrote:

> yep. it's a bug.  As soon as I remove iptables from the kernel config,
> ipw2100,ieee80211_crypt_tkip, ieee80211_crypt_ccmp, ieee80211_crypt_wep,
> ieee80211 all show up fine in lsmod.  no dmesg errors, and eth1 (wireless)
> shows up fine.  Off to bugz to log this.

Nah, it isn't a bug. That incorporation of netfilter into the kernel
changes some internal structs, i guess. So you need to recompile your
other modules (ipw2100 and fellows - at least the network-dependent)
for the new kernel. That's all pretty normal.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

[Holly Bostick]

John Dangler schreef:
> Holly~ The Firestarter kernel requirements doc says -
> 
> *Device drivers *Networking support [y] *Networking support 
> *Networking options *Network packet filtering [y] *Network packet
> filtering IP: Netfilter Configuration (*)
> 
> "We recommend you enable _everything_ except ipchains support and
> ipfwadm support as modules under this menu"

I never read this as meaning that everything should be selected, but
rather that everything that you select under this menu, other than
ipchains support and ipfwadm, should be selected as a module rather than
static. But even then, they further explain that this is mostly to save
size and memory in the kernel, rather than some actual necessity.

And of course, the docs further say
> At the very least, the Connection tracking, IP tables, Connection
> state match support, Connection tracking match support, Packet
> filtering, Full NAT and the LOG target support


My config looks like this:

CONFIG_IP_NF_CONNTRACK=y
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
# CONFIG_IP_NF_FTP is not set
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
# CONFIG_IP_NF_MATCH_COMMENT is not set
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y

As you see, I haven't even followed the instructions properly (all this
stuff is static), but, as the docs also say it will, Firestarter seems
to work fine (because all the 'required elements' are enabled.

Maybe I'll go back through make menuconfig and clean that all up, just
so I know what I'm doing in future. But afaik, I just left the kernel
defaults in place (as about all I know about these settings is that 1)
I'm not using ipv6, and 2) anything that is needed for a router I don't
need, because I'm not a router :) ).

It rather sounds like Hans-Werner is onto something; often, when you
change your kernel configuration, you have to rebuild any external
modules against the new base, which you don't seem to have done.
Otherwise the external module thinks that functions are available that
it has to modprobe (because the functionality has changed from static to
module), and vice versa (if the functionality has changed from module to
static).

If I reconfigure my kernel to modify a sound module, then no, I don't
have to re-emerge the ati-drivers (because the kernel change is
irrelevant to the external module), but the same wouldn't be true if I
changed /dev/agpgart from static to a module.

In this case, you certainly are changing kernel options relevant to the
external modules, so those would have to be re-emerged against the new
kernel congiguration.

HTH,
Holly



-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 628 bytes --]

On Tue, 30 Aug 2005 11:43:26 +0200, Holly Bostick wrote:

> > "We recommend you enable _everything_ except ipchains support and
> > ipfwadm support as modules under this menu"
> 
> I never read this as meaning that everything should be selected, but
> rather that everything that you select under this menu, other than
> ipchains support and ipfwadm, should be selected as a module rather than
> static.

That interpretation would also mean that you should enable ipchains as
static, something you wouldn't want. But it is a highly ambiguous
statement.


-- 
Neil Bothwick

The best antiques are old friends.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

RE: [gentoo-user] iptables

[John Dangler]

Nick~
Would your consensus also agree with Hans-Werner's on this?
The problem was (posted earlier) that having ipw2100/ieee80211 compiled in
and then adding iptables to the kernel caused the wireless to go south on a
reboot.
>> That incorporation of netfilter into the kernel changes some internal 
>> structs, i guess. So you need to recompile your other modules (ipw2100
>> and fellows - at least the network-dependent) for the new kernel.

I'd like to get this running, so I can setup firestarter on my laptop.

Thanks for your input.

John D 

-----Original Message-----
From: Neil Bothwick [mailto:neil@digimed.co.uk] 
Sent: Tuesday, August 30, 2005 5:56 AM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] iptables

On Tue, 30 Aug 2005 11:43:26 +0200, Holly Bostick wrote:

> > "We recommend you enable _everything_ except ipchains support and
> > ipfwadm support as modules under this menu"
> 
> I never read this as meaning that everything should be selected, but
> rather that everything that you select under this menu, other than
> ipchains support and ipfwadm, should be selected as a module rather than
> static.

That interpretation would also mean that you should enable ipchains as
static, something you wouldn't want. But it is a highly ambiguous
statement.


-- 
Neil Bothwick

The best antiques are old friends.


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

[W.Kenworthy]

iptables has an "extensions" use flag which you may or may not need
depending on what the firestarter scripts do.

After installing modules, you need to run modules-update to get the
modules database sorted out.  This may fix the symbol error.  In some
cases, you need to reboot into the new kernel as the symbols in the
running kernel and new modules may be out of sync.

BillK




On Mon, 2005-08-29 at 19:44 -0400, John Dangler wrote:
> I emerged firestarter (during which I got iptables), and forgot that I
> didn't have iptables emerged prior.  I went into the kernel and selected (as
> the doc I found suggests) all of the options as modules under iptables. (The
> doc also says that if they are compiled as modules, I didn't need to
> reboot).
> I did add iptables to /etc/modules.autoload.d/kernel-2.6 (for subsequent
> rebooting).
> 
> modprobe ip_tables results in:
> FATAL: Error inserting ip_tables
> (/lib/modules/2.6.12-gentoo-r9/kernel/net/ipv4/netfilter/ip_tables.ko):
> Unknown symbol in module, or unknown parameter.
> 
> dmesg produces - 
> ip_tables: disagrees about version of symbol skb_copy_files
> ip_tables: Unknow symbol skb_copy_bits
> ip_tables: Unknown symbol nf_register_sockopt
> ip_tables: ip_tables: Unknown symbol nf_unregister_sockopt
> ip_tables: Unknown symbol nf_unregister_sockopt
> 
> (I just found another doc that says to ONLY modprobe IF you haven't built
> this as a module)
> DOH!
> 
> I went back into the kernel config and removed all but the essential options
> for iptables... (just iptables module) and rebuilt the kernel
> 
> A reboot (aside from losing my wireless), produced an error on boot loading
> iptables.
> no other text in dmesg points to the problem.
> 
> John D
> 
> 
> 
> 
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables

[John Dangler]

I'm reading through the wiki doc on setting up iptables.  There is a section
there that sets up a file called firewall.sh
i've emerged iptables, but I don't have a file by that name on the system,
and it seems that running "/etc/init.d/iptables save" writes this file as
/var/lib/iptables/rules-save.  Is there a specific directory where this file
should be written so that running "/etc/init.d/iptables save" can see it?
Or can the rules-save file be edited and re-written? (It seems as though
running "/etc/init.d/iptables save" would just over-write rules-save).

Thanks for the input.

John D




-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

[Eric Crossman]

Once you run the rules once and run save, they will then be reloaded
from that location (/var/lib/iptables/rules-save)
by /etc/init.d/iptables start. The init.d script uses iptables-restore
and iptables-save underneath.

Eric C

On Thu, 2005-08-25 at 23:17 -0400, John Dangler wrote:
> I'm reading through the wiki doc on setting up iptables.  There is a section
> there that sets up a file called firewall.sh
> i've emerged iptables, but I don't have a file by that name on the system,
> and it seems that running "/etc/init.d/iptables save" writes this file as
> /var/lib/iptables/rules-save.  Is there a specific directory where this file
> should be written so that running "/etc/init.d/iptables save" can see it?
> Or can the rules-save file be edited and re-written? (It seems as though
> running "/etc/init.d/iptables save" would just over-write rules-save).
> 
> Thanks for the input.
> 
> John D
> 
> 
> 
> 

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

[A. Khattri]

On Thu, 25 Aug 2005, John Dangler wrote:

> I'm reading through the wiki doc on setting up iptables.  There is a section
> there that sets up a file called firewall.sh
> i've emerged iptables, but I don't have a file by that name on the system,

Probably a script the wiki author created perhaps...

> and it seems that running "/etc/init.d/iptables save" writes this file as
> /var/lib/iptables/rules-save.

That's right.

> Is there a specific directory where this file
> should be written so that running "/etc/init.d/iptables save" can see it?
> Or can the rules-save file be edited and re-written? (It seems as though
> running "/etc/init.d/iptables save" would just over-write rules-save).

That's right it does.

There's nothing stop you editing /var/lib/iptables/rules-save but be aware
that the init scripts might overwrite those changes if iptables has been
started. (The init script also support a "reload" option which looks like
it flushs all the rules without saving them first and then loads them
again from /var/lib/iptables/rules-save - this might be useful for you).


-- 

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

[Fernando Meira]

[-- Attachment #1: Type: text/plain, Size: 842 bytes --]

On 8/26/05, John Dangler <jdangler@atlantic.net> wrote:
> 
> I'm reading through the wiki doc on setting up iptables. There is a 
> section
> there that sets up a file called firewall.sh
> i've emerged iptables, but I don't have a file by that name on the system,
> and it seems that running "/etc/init.d/iptables save" writes this file as
> /var/lib/iptables/rules-save. Is there a specific directory where this 
> file
> should be written so that running "/etc/init.d/iptables save" can see it?
> Or can the rules-save file be edited and re-written? (It seems as though
> running "/etc/init.d/iptables save" would just over-write rules-save).
> 
> Thanks for the input.
> 
> John D


You first run the firewall.sh script. Then you do "/etc/init.d/iptables 
save" to save what you have just configured!

HTH,
Fernando

[-- Attachment #2: Type: text/html, Size: 1196 bytes --]