Re: [Shorewall-users] iptables-restore Failed hashlimit
On Thu, Oct 05, 2017 at 10:04:21PM -0700, Tom Eastep wrote: > On 10/05/2017 10:02 PM, Daniel Nelson wrote: > > On Thu, Oct 05, 2017 at 09:59:34PM -0700, Tom Eastep wrote: > >> On 10/05/2017 09:51 PM, Daniel Nelson wrote: > >>> On Thu, Oct 05, 2017 at 09:45:26PM -0700, Tom Eastep wrote: > On 10/05/2017 09:35 PM, Daniel Nelson wrote: > > On Thu, Oct 05, 2017 at 08:05:37AM -0700, Tom Eastep wrote: > >> Please look in your kernel log to see what netfilter messages are > >> issued > >> when this failure occurs. Also, with a hashlimit rule in place, try > >> 'shorewall debug reload' -- that can give better diagnostic > >> information. > > > > I don't see any logs of interest in kern.log, messages, or elsewhere, > > but here > > is the output of 'shorewall debug reload': > > > > Running debug_restore_input... > > iptables: No chain/target/match by that name. > >ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -m > > hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-name > > lograte --hashlimit-mode srcip -j LOG --log-level 6 --log-prefix "INPUT > > REJECT "" Failed > > > > What is the output of 'shorewall show capabilities | fgrep HASHLIMIT'? > >>> > >>> $ sudo shorewall show capabilities | fgrep HASHLIMIT > >>> Hashlimit Match (HASHLIMIT_MATCH): Available > >>> > >> > >> And does this work? > >> > >>iptables -N foo > >>iptables -A foo -j LOG > > > > $ sudo iptables -N foo > > $ sudo iptables -A foo -j LOG > > iptables: No chain/target/match by that name. > > > > Your kernel doesn't have LOG target support. I compiled it as a module and now everything is working, thanks so much for the help! -- Daniel -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] iptables-restore Failed hashlimit
On 10/05/2017 10:02 PM, Daniel Nelson wrote: > On Thu, Oct 05, 2017 at 09:59:34PM -0700, Tom Eastep wrote: >> On 10/05/2017 09:51 PM, Daniel Nelson wrote: >>> On Thu, Oct 05, 2017 at 09:45:26PM -0700, Tom Eastep wrote: On 10/05/2017 09:35 PM, Daniel Nelson wrote: > On Thu, Oct 05, 2017 at 08:05:37AM -0700, Tom Eastep wrote: >> Please look in your kernel log to see what netfilter messages are issued >> when this failure occurs. Also, with a hashlimit rule in place, try >> 'shorewall debug reload' -- that can give better diagnostic information. > > I don't see any logs of interest in kern.log, messages, or elsewhere, but > here > is the output of 'shorewall debug reload': > > Running debug_restore_input... > iptables: No chain/target/match by that name. > ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -m > hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-name > lograte --hashlimit-mode srcip -j LOG --log-level 6 --log-prefix "INPUT > REJECT "" Failed > What is the output of 'shorewall show capabilities | fgrep HASHLIMIT'? >>> >>> $ sudo shorewall show capabilities | fgrep HASHLIMIT >>> Hashlimit Match (HASHLIMIT_MATCH): Available >>> >> >> And does this work? >> >> iptables -N foo >> iptables -A foo -j LOG > > $ sudo iptables -N foo > $ sudo iptables -A foo -j LOG > iptables: No chain/target/match by that name. > Your kernel doesn't have LOG target support. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] iptables-restore Failed hashlimit
On Thu, Oct 05, 2017 at 09:59:34PM -0700, Tom Eastep wrote: > On 10/05/2017 09:51 PM, Daniel Nelson wrote: > > On Thu, Oct 05, 2017 at 09:45:26PM -0700, Tom Eastep wrote: > >> On 10/05/2017 09:35 PM, Daniel Nelson wrote: > >>> On Thu, Oct 05, 2017 at 08:05:37AM -0700, Tom Eastep wrote: > Please look in your kernel log to see what netfilter messages are issued > when this failure occurs. Also, with a hashlimit rule in place, try > 'shorewall debug reload' -- that can give better diagnostic information. > >>> > >>> I don't see any logs of interest in kern.log, messages, or elsewhere, but > >>> here > >>> is the output of 'shorewall debug reload': > >>> > >>> Running debug_restore_input... > >>> iptables: No chain/target/match by that name. > >>> ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -m > >>> hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-name > >>> lograte --hashlimit-mode srcip -j LOG --log-level 6 --log-prefix "INPUT > >>> REJECT "" Failed > >>> > >> > >> What is the output of 'shorewall show capabilities | fgrep HASHLIMIT'? > > > > $ sudo shorewall show capabilities | fgrep HASHLIMIT > > Hashlimit Match (HASHLIMIT_MATCH): Available > > > > And does this work? > > iptables -N foo > iptables -A foo -j LOG $ sudo iptables -N foo $ sudo iptables -A foo -j LOG iptables: No chain/target/match by that name. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] iptables-restore Failed hashlimit
On 10/05/2017 09:51 PM, Daniel Nelson wrote: > On Thu, Oct 05, 2017 at 09:45:26PM -0700, Tom Eastep wrote: >> On 10/05/2017 09:35 PM, Daniel Nelson wrote: >>> On Thu, Oct 05, 2017 at 08:05:37AM -0700, Tom Eastep wrote: Please look in your kernel log to see what netfilter messages are issued when this failure occurs. Also, with a hashlimit rule in place, try 'shorewall debug reload' -- that can give better diagnostic information. >>> >>> I don't see any logs of interest in kern.log, messages, or elsewhere, but >>> here >>> is the output of 'shorewall debug reload': >>> >>> Running debug_restore_input... >>> iptables: No chain/target/match by that name. >>>ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -m >>> hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-name >>> lograte --hashlimit-mode srcip -j LOG --log-level 6 --log-prefix "INPUT >>> REJECT "" Failed >>> >> >> What is the output of 'shorewall show capabilities | fgrep HASHLIMIT'? > > $ sudo shorewall show capabilities | fgrep HASHLIMIT > Hashlimit Match (HASHLIMIT_MATCH): Available > And does this work? iptables -N foo iptables -A foo -j LOG -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] iptables-restore Failed hashlimit
On Thu, Oct 05, 2017 at 09:45:26PM -0700, Tom Eastep wrote: > On 10/05/2017 09:35 PM, Daniel Nelson wrote: > > On Thu, Oct 05, 2017 at 08:05:37AM -0700, Tom Eastep wrote: > >> Please look in your kernel log to see what netfilter messages are issued > >> when this failure occurs. Also, with a hashlimit rule in place, try > >> 'shorewall debug reload' -- that can give better diagnostic information. > > > > I don't see any logs of interest in kern.log, messages, or elsewhere, but > > here > > is the output of 'shorewall debug reload': > > > > Running debug_restore_input... > > iptables: No chain/target/match by that name. > >ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -m > > hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-name > > lograte --hashlimit-mode srcip -j LOG --log-level 6 --log-prefix "INPUT > > REJECT "" Failed > > > > What is the output of 'shorewall show capabilities | fgrep HASHLIMIT'? $ sudo shorewall show capabilities | fgrep HASHLIMIT Hashlimit Match (HASHLIMIT_MATCH): Available -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] iptables-restore Failed hashlimit
On 10/05/2017 09:35 PM, Daniel Nelson wrote: > On Thu, Oct 05, 2017 at 08:05:37AM -0700, Tom Eastep wrote: >> Please look in your kernel log to see what netfilter messages are issued >> when this failure occurs. Also, with a hashlimit rule in place, try >> 'shorewall debug reload' -- that can give better diagnostic information. > > I don't see any logs of interest in kern.log, messages, or elsewhere, but here > is the output of 'shorewall debug reload': > > Running debug_restore_input... > iptables: No chain/target/match by that name. > ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -m > hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-name > lograte --hashlimit-mode srcip -j LOG --log-level 6 --log-prefix "INPUT > REJECT "" Failed > What is the output of 'shorewall show capabilities | fgrep HASHLIMIT'? -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] iptables-restore Failed hashlimit
On Thu, Oct 05, 2017 at 08:05:37AM -0700, Tom Eastep wrote: > Please look in your kernel log to see what netfilter messages are issued > when this failure occurs. Also, with a hashlimit rule in place, try > 'shorewall debug reload' -- that can give better diagnostic information. I don't see any logs of interest in kern.log, messages, or elsewhere, but here is the output of 'shorewall debug reload': Running debug_restore_input... iptables: No chain/target/match by that name. ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-name lograte --hashlimit-mode srcip -j LOG --log-level 6 --log-prefix "INPUT REJECT "" Failed -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] DNAT+SNAT+FTP Helper Problem
On 10/04/2017 03:22 AM, Juha Leinonen wrote: > Hi Tom, > > Great, thanks. > > Can you tell me where I can track the progress of this bug report? > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877826 -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] iptables-restore Failed hashlimit
On 10/05/2017 12:05 AM, Daniel Nelson wrote: > I'm using the shorewall 5.1.5.2 gentoo ebuild and getting an error when > running `shorewall start`. > > iptables-restore: line 144 failed > ERROR: iptables-restore Failed. Input is in > /var/lib/shorewall/.iptables-restore-input > > I tried to use the process of elimination on the script to find the problem > and found that if I remove all hashlimit lines iptables-restore will complete > successfully. I don't know much about kernel configuration here but I did > find I have xt_hashlimit loaded: > > $ lsmod | grep hashlimit > xt_hashlimit 20480 0 > > Attached is the contents of .iptables-restore-input. Please look in your kernel log to see what netfilter messages are issued when this failure occurs. Also, with a hashlimit rule in place, try 'shorewall debug reload' -- that can give better diagnostic information. Thanks, -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] iptables-restore Failed hashlimit
I'm using the shorewall 5.1.5.2 gentoo ebuild and getting an error when running `shorewall start`. iptables-restore: line 144 failed ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input I tried to use the process of elimination on the script to find the problem and found that if I remove all hashlimit lines iptables-restore will complete successfully. I don't know much about kernel configuration here but I did find I have xt_hashlimit loaded: $ lsmod | grep hashlimit xt_hashlimit 20480 0 Attached is the contents of .iptables-restore-input. -- Daniel iptables-restore-input.gz Description: Binary data -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users