On Sun, May 27, 2012 at 07:17:03AM -0700, Fernando de Oliveira wrote: > I did again something stupid, as rewrap was used, then probably a ^Z for > some other reason undone that. Re-sending a wrapped message (I hope) > > This has been happening for some time, but only noticed last week and > happens either with iptables-1.4.13 or with the new version > iptables-1.4.14, just installed after being notified by Bruce in the > "book" list. > > The following appears at boot or starting iptables: > > # /etc/rc.d/init.d/iptables start > Starting iptables...FATAL: Module ipt_LOG not found. > iptables: No chain/target/match by that name. > iptables: No chain/target/match by that name. > > In /etc/rc.d/rc.iptables I have identified the following lines as > sources of the error messages (by commenting out) > > modprobe ipt_LOG > iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " > iptables -I INPUT -p tcp -m state --state INVALID \ > -j LOG --log-prefix "FIREWALL:INVALID" > > I understand the first error message having no ipt_LOG module: > > $ grep -i ipt /boot/config-3.4.0 > CONFIG_IP_NF_IPTABLES=y > CONFIG_IP6_NF_IPTABLES=y > # CONFIG_NET_ACT_IPT is not set > # CONFIG_TABLET_USB_AIPTEK is not set > # CONFIG_SND_RIPTIDE is not set > # iptables trigger is under Netfilter config (LED target) > > I understand the other error messages as consequence of something > necessary, perhaps ipt_LOG. > > Other than commenting out the offending lines, what can be done to > correct this? > > Help would be much appreciated. > Try checking / adding every kernel option (for netfilter) that you *might* want to use in your ruleset. For log, in 3.0 it is CONFIG_NETFILTER_NETLINK_LOG - there are *loads* of other possible kernel netlink-related options, e.g. for logging in XTABLES. Perhaps newer kernels have changed the options ?
Or, perhaps you didn't 'make modules_install' (unlikely, but I've occasionally done that myself on new kernels). Personally I don't like the aggravation of having to ensure a module is loaded when I later change the iptables script, so I build them all in. For the rest, it's possible that something else has changed. I installed 1.4.13 last month and had a little fun and games getting it to do what I want. I'll eventually drop my separate firewall (with the new kit, nothing from outside hits the firewall - very unlike the old kit - but I'll need precautions against anyone using my wifi who tries to connect to my server), and some of the settings I now need were not obvious: I had to allow incoming POP3 because otherwise (some) mail (using fetchmail) was dropped. I also had to add iptables -X to any reload to stop it complaining that the rules already existed. When you have logging working, it's a good idea to monitor the log to see what is being dropped - at least until everything is working. ĸen -- das eine Mal als Tragödie, das andere Mal als Farce -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
