Shorewall users - Oct 2006 - ERROR: Command "/sbin/iptables -A Drop -p tcp -j dropNotSyn" Failed

I have a Virtuozzo virtual private server running Debian Sarge. I have
Shorewall 3.0.7 installed. I am getting the following error when I start
shorewall:
ERROR: Command "/sbin/iptables -A Drop -p tcp -j dropNotSyn" Failed

I have attached trace.gz


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Kurt Krueckeberg wrote:
> I have a Virtuozzo virtual private server running Debian Sarge. I have
> Shorewall 3.0.7 installed. I am getting the following error when I start
> shorewall:
> ERROR: Command "/sbin/iptables -A Drop -p tcp -j dropNotSyn"
Failed
> 
> I have attached trace.gz
This appears to be an iptables problem (note the "iptables: Invalid
argument"
message being issued to standard error) -- there is nothing wrong with the
iptables command that is failing. Shorewall 3.0.7 has been available on Debian
since the spring and to my knowledge no one has reported any problem like this
before (most iptables problems with Debian concern an incompatibility of Debian
iptables 1.3.5 with the Debian 2.6.16 and later kernels).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Sunday 29 October 2006 18:52, Tom Eastep wrote:
> Kurt Krueckeberg wrote:
> > I have a Virtuozzo virtual private server running Debian Sarge. I have
> > Shorewall 3.0.7 installed. I am getting the following error when I
start
> > shorewall:
> > ERROR: Command "/sbin/iptables -A Drop -p tcp -j dropNotSyn"
Failed
> >
> > I have attached trace.gz
>
> This appears to be an iptables problem (note the "iptables: Invalid
> argument" message being issued to standard error) -- there is nothing
wrong
> with the iptables command that is failing. Shorewall 3.0.7 has been
> available on Debian since the spring and to my knowledge no one has
> reported any problem like this before (most iptables problems with Debian
> concern an incompatibility of Debian iptables 1.3.5 with the Debian 2.6.16
> and later kernels).
I used the source for iptables that is found on the IP set homepage on both 
Sarge and Etch and I have not seen problems other than problems caused by my 
initial configuration (as in "it was my fault"). I removed the
iptables that
came on Debian and replaced it with a dummy package.  The dummy package 
allows me to install the shorewall deb package without dependency problems.

So to the original poster: try the iptables source that is found on the IP set 
homepage.

8)

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Pollywog wrote:
> I used the source for iptables that is found on the IP set homepage on both
> Sarge and Etch and I have not seen problems other than problems caused by
my
> initial configuration (as in "it was my fault"). I removed the
iptables that
> came on Debian and replaced it with a dummy package.  The dummy package 
> allows me to install the shorewall deb package without dependency problems.
> 
> So to the original poster: try the iptables source that is found on the IP
set
> homepage.
The key to correcting these sorts of iptables problems is not so much
dependent on which iptables source you use but rather that the kernel
source used to build iptables should match the kernel you are running.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Kurt Krueckeberg wrote:
> I have a Virtuozzo virtual private server running Debian Sarge. I have
> Shorewall 3.0.7 installed. I am getting the following error when I start
> shorewall:
> ERROR: Command "/sbin/iptables -A Drop -p tcp -j dropNotSyn"
Failed
> 
> I have attached trace.gz
the modified kernels that run into that VPSs are awfuly broken, stay
away from it if you can.





-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Thanks for the replies. I guess I should have mentioned that Virtuozzo only
has these iptables modules:

iptable_filter
iptable_mangle
ipt_limit
ipt_multiport
ipt_tos
ipt_TOS
ipt_REJECT
ipt_TCPMSS
ipt_tcpmss
ipt_ttl
ipt_LOG
ipt_length
ip_conntrack
ip_conntrack_ftp
ip_conntrack_irc
ipt_conntrack
ipt_state
ipt_helper
iptable_nat
ip_nat_ftp
ip_nat_irc

--kurt  

-----Original Message-----
From: shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom
Eastep
Sent: Sunday, October 29, 2006 12:53 PM
To: Shorewall Users
Subject: Re: [Shorewall-users] ERROR: Command "/sbin/iptables -A Drop -p
tcp
-j dropNotSyn" Failed

Kurt Krueckeberg wrote:
> I have a Virtuozzo virtual private server running Debian Sarge. I have 
> Shorewall 3.0.7 installed. I am getting the following error when I 
> start
> shorewall:
> ERROR: Command "/sbin/iptables -A Drop -p tcp -j dropNotSyn"
Failed
> 
> I have attached trace.gz
This appears to be an iptables problem (note the "iptables: Invalid
argument"
message being issued to standard error) -- there is nothing wrong with the
iptables command that is failing. Shorewall 3.0.7 has been available on
Debian since the spring and to my knowledge no one has reported any problem
like this before (most iptables problems with Debian concern an
incompatibility of Debian iptables 1.3.5 with the Debian 2.6.16 and later
kernels).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642