Re: [gentoo-user] Useless error messages from iptables-restore
[EMAIL PROTECTED] wrote: The final remaining problem is with the 3 statements scattered through the rules... -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED The -m tcp is a typo, yes? The setting you might me missing is CONFIG_NF_CONNTRACK_IPV4=y. Grep through your .config and compare: # grep ^CONF /usr/src/linux/.config | grep -e _NF -e NETFILTER CONFIG_NETFILTER=y CONFIG_NETFILTER_DEBUG=y CONFIG_NF_CONNTRACK_ENABLED=y CONFIG_NF_CONNTRACK_SUPPORT=y CONFIG_NF_CONNTRACK=y CONFIG_NETFILTER_XTABLES=y CONFIG_NETFILTER_XT_TARGET_NFLOG=y CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y CONFIG_NETFILTER_XT_MATCH_STATE=y CONFIG_NF_CONNTRACK_IPV4=y CONFIG_NF_CONNTRACK_PROC_COMPAT=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_NF_NAT=y CONFIG_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y Benno -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Useless error messages from iptables-restore
Hi, On Tue, 1 May 2007 22:38:27 -0400 [EMAIL PROTECTED] wrote: The final remaining problem is with the 3 statements scattered through the rules... -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED Hm, do your other rules use connection state matching? This works on the main system, with a slightly older kernel. On the Dell, running 2.6.20-r7, I have a whole bunch of stuff enabled in the kernel, including... [...] I'd suggest to enable all netfilter options -- as modules. Then see which of them are being loaded when you restore your rules and then according to that trim down your kernel configuration again. My suspicion would be you're missing connectioin state matching support. -hwh -- [EMAIL PROTECTED] mailing list
[gentoo-user] Useless error messages from iptables-restore
I apologize if this is a duplicate. I've just done a re-install and I don't think my first attempt got out. I tried Xubuntu on a 1999 Dell with a 450 mhz PIII and 128 megs of ram. The install was excruciatingly slow, and once installed it was only painfully slow. So I went back to Gentoo, re-installed fresh, and copied over various config-files from my main machine (also Gentoo), incluting the iptables ruleset (/var/lib/iptables/rules-save). The Dell can't load them... [m450][root][~] iptables-restore /var/lib/iptables/rules-save iptables-restore: line 66 failed Line 66 is the COMMIT line. If I get rid of the COMMIT line, the complaint is... [m450][root][~] iptables-restore /var/lib/iptables/rules-save iptables-restore: COMMIT expected at line 67 RTFM didn't find anything useful and I know the rules worked before. Help. -- Walter Dnes [EMAIL PROTECTED] In linux /sbin/init is Job #1 Q. Mr. Ghandi, what do you think of Microsoft security? A. I think it would be a good idea. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Useless error messages from iptables-restore
On Tue, May 01, 2007 at 04:50:54PM -0400, [EMAIL PROTECTED] wrote RTFM didn't find anything useful and I know the rules worked before. Help. For what it's worth, I'm running linux-2.6.20-gentoo-r7 on the Dell. I went and did it the hard way. I started by commenting out almost everything. Then I uncommented one chain at a time until I ran into an error. Then I commented out one rule at the end until the error disappeared. I found two sets of problems... 1) The working ruleset (on my main machine), starts off with... *filter :INPUT DROP :FORWARD DROP :OUTPUT DROP :DROP_LOG :ICMP_IN :PRIVATE :PRIVATE_LOG :TCP_IN :UDP_IN :UNSOLICITED Seems that the latest version does not like my own chains being declared this way. I got rid of the first batch of errors by switching the rules to... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -F -X -N DROP_LOG -N ICMP_IN -N PRIVATE -N PRIVATE_LOG -N TCP_IN -N UDP_IN -N UNSOLICITED The final remaining problem is with the 3 statements scattered through the rules... -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED This works on the main system, with a slightly older kernel. On the Dell, running 2.6.20-r7, I have a whole bunch of stuff enabled in the kernel, including... [*] Network packet filtering framework (Netfilter) --- * Netfilter Xtables support (required for ip_tables) Core Netfilter Configuration --- * Netfilter Xtables support (required for ip_tables) * conntrack connection tracking match support * state match support IP: Netfilter Configuration --- * IP tables support (required for filtering/masq/NAT) * Packet filtering In case someone's wondering... I don't want/need router functionality. I don't want/need NATing functionality. I don't want/need mangling or QOS or other fancy stuff. I just want a stinking firewall. What is the minimum I need to enable to get the above 3 statements to work? -- Walter Dnes [EMAIL PROTECTED] In linux /sbin/init is Job #1 Q. Mr. Ghandi, what do you think of Microsoft security? A. I think it would be a good idea. -- [EMAIL PROTECTED] mailing list