Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to configure my firewall on my pc. (so no network, only one machine). I did a whole lot to get it up and running. Here is a summery.
Fist I recompiled my kernel to get iptables support. I have kernel 2.4.20. Here is my .config file for my kernel (relevent parts :
#
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
# CONFIG_IP_MULTICAST is not set
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_MULTIPLE_TABLES is not set
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_TOS is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_ROUTE_LARGE_TABLES is not set
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
# CONFIG_IP_PNP_BOOTP is not set
# CONFIG_IP_PNP_RARP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
# CONFIG_IP_NF_MATCH_LIMIT is not set
# CONFIG_IP_NF_MATCH_MAC is not set
# CONFIG_IP_NF_MATCH_PKTTYPE is not set
# CONFIG_IP_NF_MATCH_MARK is not set
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
# CONFIG_IP_NF_MATCH_LENGTH is not set
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_MATCH_TCPMSS is not set
# CONFIG_IP_NF_MATCH_HELPER is not set
# CONFIG_IP_NF_MATCH_STATE is not set
# CONFIG_IP_NF_MATCH_CONNTRACK is not set
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
# CONFIG_IP_NF_TARGET_MASQUERADE is not set
CONFIG_IP_NF_TARGET_REDIRECT=m
# CONFIG_IP_NF_NAT_LOCAL is not set
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
# CONFIG_IP_NF_TARGET_ECN is not set
# CONFIG_IP_NF_TARGET_DSCP is not set
# CONFIG_IP_NF_TARGET_MARK is not set
CONFIG_IP_NF_TARGET_LOG=m
# CONFIG_IP_NF_TARGET_ULOG is not set
# CONFIG_IP_NF_TARGET_TCPMSS is not set
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
# CONFIG_IPV6 is not set
# CONFIG_KHTTPD is not set
# CONFIG_ATM is not set
# CONFIG_VLAN_8021Q is not set
#
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
#
# Appletalk devices
#
# CONFIG_DECNET is not set
# CONFIG_BRIDGE is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_LLC is not set
# CONFIG_NET_DIVERT is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set
# CONFIG_NET_FASTROUTE is not set
# CONFIG_NET_HW_FLOWCONTROL is not set
#
# QoS and/or fair queueing
#
# CONFIG_NET_SCHED is not set
#
# Network testing
#
# CONFIG_NET_PKTGEN is not set
At fist I coulden't even find the bit where I could get support for iptables. When atlast I did manage to get ip_tables compiled as module, I got unresolved symboles in the module. Any way I fixed that.
After configuring the kernel, I downloaded and installed guarddog. That went ok. But for some reason when I say to applie the rules I just created I get a hole lot of
iptables: No chain/target/match by that name
messages. After that, I can have no network traffic at all. No till I kill the firewall.
Why? I have downloded some howto's (firewall howto, ipchains howto) but the size of those really intimidate me. Can someone help me out ? Sorry if I left any crucial info out of this post. I really am a newbie at this.
Sounds more like you're missing some modules, rather than a screwed up firewall script. Use lsmod and make sure that you have modules loaded for the iptables flags and chains. Looking at the modules I have loaded now that are relevent for iptables:
I would bet that you're not loading one or more of them. Narrow down what your missing and make and install the lost modules.
What distro are you using? Most should have iptables support or at least ipchains/ipfwadmin built in out of the box. So it's kind of strange that you had to recompile the kernel just to get support. HTH
I browsed on the internet some more and I came to the same conclusion you did. Right now I have all the modules you summed up except for ipt_MASQUERADE, but i got my firewall up and running none the less. But should I compile ipt_MASQUERADE?
I have a debian woody installation. I had to compile my kernel to get support for some non-standerd hardware (cd recorder, nic interface). But being unexperianced as I am, I didn't include support of netfilter. So when I came round to configure my firewall, I had to recompile the kernel to get support for them after all.
Unless you're going to produce a super small kernel, set the kernel options for all the netfilter entries to <M> to make them modules.
This way they will load when they are called from the iptables rules & you won't need to manually load them.
There are also options for ipchains amd ipfwadm.
Say <N> for these to avoid problems later.
Debian left these options as modules for people upgrading from 2.2 kernels and who still want to keep their ipchains scripts.
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332
Rep:
Quote:
Originally Posted by Capt_Caveman
Sounds more like you're missing some modules
ipt_MASQUERADE
I would bet that you're not loading one or more of them.
Ahh yeah, 5 years later but it's never too late for a sincere thank you!!
So thanks, Mr. Caveman.
I was trying some new firewall options today on a new routerbox, got myself all confused, and finally couldn't make anything work right.
Pulled my hair for a few hours before finding your post.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.