I just recompiled a plain vanilla 2.4.28 kernel, and used the Shorewall.net
kernel config as a guideline. For some reason, I get this:
Nov 30 12:05:34 fw shorewall: Shorewall has detected the following
iptables/netfilter capabilities:
Nov 30 12:05:34 fw shorewall: NAT: Available
Nov 30 12:05:34 fw shorewall: Packet Mangling: Available
Nov 30 12:05:34 fw shorewall: Multi-port Match: Available
Nov 30 12:05:34 fw shorewall: Connection Tracking Match: Not
available
.....
Clearly it thinks "Connection Tracking Match: Not available", yet I
have set
the kernel compile options as follows. The only missing "match" module
is
"TLL Match Support", but that is also missing from the example config
on
shorewall.net. Before I recompile, is this error caused by some other
issue that I''m not seeing? I did not get this on previous kernels,
which I
*thought* I had configured the same.
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
# CONFIG_IP_NF_MATCH_TTL is not set
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_LOCAL=y
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
# CONFIG_IP_NF_ARP_MANGLE is not set
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
And for completeness:
[root@fw linux-2.4.28]# shorewall version
2.0.10
[root@fw linux-2.4.28]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:80:c8:64:a2:61 brd ff:ff:ff:ff:ff:ff
inet 139.142.66.9/24 brd 139.142.66.255 scope global eth0
5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:80:c8:67:96:5c brd ff:ff:ff:ff:ff:ff
inet 139.142.65.147/29 brd 139.142.65.151 scope global eth1
[root@fw linux-2.4.28]# ip route show
139.142.65.144/29 dev eth1 scope link
139.142.66.0/24 dev eth0 scope link
10.0.0.0/8 via 139.142.66.245 dev eth0
127.0.0.0/8 dev lo scope link
default via 139.142.65.145 dev eth1
Status dump is attached.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Shawn Wright, I.T. Manager
Shawnigan Lake School
http://www.sls.bc.ca
swright@sls.bc.ca
On Tue, 2004-11-30 at 14:47 -0800, Shawn Wright wrote:> I just recompiled a plain vanilla 2.4.28 kernel, and used the Shorewall.net > kernel config as a guideline. For some reason, I get this: > > Nov 30 12:05:34 fw shorewall: Shorewall has detected the following > iptables/netfilter capabilities: > Nov 30 12:05:34 fw shorewall: NAT: Available > Nov 30 12:05:34 fw shorewall: Packet Mangling: Available > Nov 30 12:05:34 fw shorewall: Multi-port Match: Available > Nov 30 12:05:34 fw shorewall: Connection Tracking Match: Not > available > ..... > > Clearly it thinks "Connection Tracking Match: Not available", yet I have set > the kernel compile options as follows. The only missing "match" module is > "TLL Match Support", but that is also missing from the example config on > shorewall.net. Before I recompile, is this error caused by some other > issue that I''m not seeing? I did not get this on previous kernels, which I > *thought* I had configured the same.At a root shell prompt, try: iptables -N foobar iptables -A foobar -M CONNTRACK --ctorigdst 192.168.1.1 -j ACCEPT What do you see? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tue, 2004-11-30 at 14:58 -0800, Tom Eastep wrote:> On Tue, 2004-11-30 at 14:47 -0800, Shawn Wright wrote: > > I just recompiled a plain vanilla 2.4.28 kernel, and used the Shorewall.net > > kernel config as a guideline. For some reason, I get this: > > > > Nov 30 12:05:34 fw shorewall: Shorewall has detected the following > > iptables/netfilter capabilities: > > Nov 30 12:05:34 fw shorewall: NAT: Available > > Nov 30 12:05:34 fw shorewall: Packet Mangling: Available > > Nov 30 12:05:34 fw shorewall: Multi-port Match: Available > > Nov 30 12:05:34 fw shorewall: Connection Tracking Match: Not > > available > > ..... > > > > Clearly it thinks "Connection Tracking Match: Not available", yet I have set > > the kernel compile options as follows. The only missing "match" module is > > "TLL Match Support", but that is also missing from the example config on > > shorewall.net. Before I recompile, is this error caused by some other > > issue that I''m not seeing? I did not get this on previous kernels, which I > > *thought* I had configured the same. > > At a root shell prompt, try: > > iptables -N foobar > iptables -A foobar -M CONNTRACK --ctorigdst 192.168.1.1 -j ACCEPT >F..king caps lock key... That should have been: iptables -A foobar -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 30 Nov 2004 at 15:00, Tom Eastep wrote:> On Tue, 2004-11-30 at 14:58 -0800, Tom Eastep wrote: > > On Tue, 2004-11-30 at 14:47 -0800, Shawn Wright wrote: > > > I just recompiled a plain vanilla 2.4.28 kernel, and used the Shorewall.net > > > kernel config as a guideline. For some reason, I get this: > > > > > > Nov 30 12:05:34 fw shorewall: Shorewall has detected the following > > > iptables/netfilter capabilities: > > > Nov 30 12:05:34 fw shorewall: NAT: Available > > > Nov 30 12:05:34 fw shorewall: Packet Mangling: Available > > > Nov 30 12:05:34 fw shorewall: Multi-port Match: Available > > > Nov 30 12:05:34 fw shorewall: Connection Tracking Match: Not > > > available > > > ..... > > > > > > Clearly it thinks "Connection Tracking Match: Not available", yet I have set > > > the kernel compile options as follows. The only missing "match" module is > > > "TLL Match Support", but that is also missing from the example config on > > > shorewall.net. Before I recompile, is this error caused by some other > > > issue that I''m not seeing? I did not get this on previous kernels, which I > > > *thought* I had configured the same. > > > > At a root shell prompt, try: > > > > iptables -N foobar > > iptables -A foobar -M CONNTRACK --ctorigdst 192.168.1.1 -j ACCEPT > > > F..king caps lock key... > > That should have been: > > iptables -A foobar -m conntrack --ctorigdst 192.168.1.1 -j ACCEPTHere it is: [root@fw mibs]# iptables -N foobar [root@fw mibs]# iptables -A foobar -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT iptables: Invalid argument "invalid argument" is also what I saw in my trace of ''shorewall start'', but I didn''t think it was related, as it went away when I removed all the entries in the masq file. Here''s the trace portion where it fails with the masq entries: ------------- + run_iptables -t nat -A eth1_masq -s 10.2.200.0/24 -d 0.0.0.0/0 -j SNAT - -to-source 139.142.65.147 + ''['' -n '''' '']'' + iptables -t nat -A eth1_masq -s 10.2.200.0/24 -d 0.0.0.0/0 -j SNAT --to- source 139.142.65.147 iptables: Invalid argument -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca
On Tue, 2004-11-30 at 15:22 -0800, Shawn Wright wrote:> On 30 Nov 2004 at 15:00, Tom Eastep wrote: > > > On Tue, 2004-11-30 at 14:58 -0800, Tom Eastep wrote: > > > On Tue, 2004-11-30 at 14:47 -0800, Shawn Wright wrote: > > > > I just recompiled a plain vanilla 2.4.28 kernel, and used the Shorewall.net > > > > kernel config as a guideline. For some reason, I get this: > > > > > > > > Nov 30 12:05:34 fw shorewall: Shorewall has detected the following > > > > iptables/netfilter capabilities: > > > > Nov 30 12:05:34 fw shorewall: NAT: Available > > > > Nov 30 12:05:34 fw shorewall: Packet Mangling: Available > > > > Nov 30 12:05:34 fw shorewall: Multi-port Match: Available > > > > Nov 30 12:05:34 fw shorewall: Connection Tracking Match: Not > > > > available > > > > ..... > > > > > > > > Clearly it thinks "Connection Tracking Match: Not available", yet I have set > > > > the kernel compile options as follows. The only missing "match" module is > > > > "TLL Match Support", but that is also missing from the example config on > > > > shorewall.net. Before I recompile, is this error caused by some other > > > > issue that I''m not seeing? I did not get this on previous kernels, which I > > > > *thought* I had configured the same. > > > > > > At a root shell prompt, try: > > > > > > iptables -N foobar > > > iptables -A foobar -M CONNTRACK --ctorigdst 192.168.1.1 -j ACCEPT > > > > > F..king caps lock key... > > > > That should have been: > > > > iptables -A foobar -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT > > Here it is: > > [root@fw mibs]# iptables -N foobar > [root@fw mibs]# iptables -A foobar -m conntrack --ctorigdst 192.168.1.1 -j > ACCEPT > iptables: Invalid argument > > "invalid argument" is also what I saw in my trace of ''shorewall start'', but I > didn''t think it was related, as it went away when I removed all the entries > in the masq file. > > Here''s the trace portion where it fails with the masq entries: > ------------- > + run_iptables -t nat -A eth1_masq -s 10.2.200.0/24 -d 0.0.0.0/0 -j SNAT - > -to-source 139.142.65.147 > + ''['' -n '''' '']'' > + iptables -t nat -A eth1_masq -s 10.2.200.0/24 -d 0.0.0.0/0 -j SNAT --to- > source 139.142.65.147 > iptables: Invalid argumentYour iptables is incompatible with your new kernel. You must rebuild iptables against the 2.4.28 kernel tree. Please see Shorewall FAQ #27a. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 30 Nov 2004 at 15:28, Tom Eastep wrote:> > > > > Clearly it thinks "Connection Tracking Match: Not available", yet I have set > > > > > the kernel compile options as follows. The only missing "match" module is > > > > > "TLL Match Support", but that is also missing from the example config on > > > > > shorewall.net. Before I recompile, is this error caused by some other > > > > > issue that I''m not seeing? I did not get this on previous kernels, which I > > > > > *thought* I had configured the same. > > > > > > > > At a root shell prompt, try: > > > > > > > > iptables -N foobar > > > > iptables -A foobar -M CONNTRACK --ctorigdst 192.168.1.1 -j ACCEPT > > > > > > > F..king caps lock key... > > > > > > That should have been: > > > > > > iptables -A foobar -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT > > > > Here it is: > > > > [root@fw mibs]# iptables -N foobar > > [root@fw mibs]# iptables -A foobar -m conntrack --ctorigdst 192.168.1.1 -j > > ACCEPT > > iptables: Invalid argument > > > > "invalid argument" is also what I saw in my trace of ''shorewall start'', but I > > didn''t think it was related, as it went away when I removed all the entries > > in the masq file. > > > > Here''s the trace portion where it fails with the masq entries: > > ------------- > > + run_iptables -t nat -A eth1_masq -s 10.2.200.0/24 -d 0.0.0.0/0 -j SNAT - > > -to-source 139.142.65.147 > > + ''['' -n '''' '']'' > > + iptables -t nat -A eth1_masq -s 10.2.200.0/24 -d 0.0.0.0/0 -j SNAT --to- > > source 139.142.65.147 > > iptables: Invalid argument > > Your iptables is incompatible with your new kernel. You must rebuild > iptables against the 2.4.28 kernel tree. > > Please see Shorewall FAQ #27a. >That did it. Thanks, Tom. ps: just a warning to others - ''make install'' does not copy the iptables files to /sbin and /lib/iptables, at least on Mandrake 9.2. You may need to do this by hand, or make symlinks. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca