gravity paul # /etc/init.d/shorewall start
* Starting firewall ...
WARNING: NAT disabled; masq rule ignored
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
/sbin/shorewall: line 375: 9373 Terminated ${VARDIR}/.start
$debugging start [ !! ]
gravity linux # lsmod
Module Size Used by
xt_tcpmss 1920 0
xt_tcpudp 2816 0
xt_pkttype 1664 0
iptable_raw 1920 0
xt_CLASSIFY 1664 0
xt_MARK 2048 0
xt_comment 1664 0
xt_length 1792 0
xt_policy 3200 0
xt_multiport 2816 0
iptable_mangle 2176 0
ipt_ULOG 6148 0
ipt_TTL 1920 0
ipt_ttl 1664 0
ipt_TOS 1792 0
ipt_tos 1408 0
ipt_REJECT 3200 0
ipt_recent 7064 0
ipt_owner 1792 0
ipt_LOG 5248 0
ipt_iprange 1664 0
ipt_ECN 2432 0
ipt_ecn 1920 0
ipt_ah 1664 0
ipt_addrtype 1664 0
iptable_filter 2304 1
ip_tables 9032 3 iptable_raw,iptable_mangle,iptable_filter
x_tables 10244 24
xt_tcpmss,xt_tcpudp,xt_pkttype,xt_CLASSIFY,xt_MARK,xt_comment,xt_length,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_REJECT,ipt_recent,ipt_owner,ipt_LOG,ipt_iprange,ipt_ECN,ipt_ecn,ipt_ah,ipt_addrtype,ip_tables
i915 19840 2
michael_mic 2304 6
ieee80211_crypt_tkip 8960 3
8139cp 16256 0
pcmcia 32936 0
8139too 19072 0
ipw2100 58800 0
yenta_socket 21132 2
rsrc_nonstatic 9728 1 yenta_socket
pcmcia_core 31508 3 pcmcia,yenta_socket,rsrc_nonstatic
gravity linux #
and this is the kernel config
gravity linux # cat .config |grep -i IP_NF
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
gravity linux # grep ^[A-Za-z] /etc/shorewall/policy
loc net ACCEPT
loc $FW REJECT info
loc all REJECT info
net $FW DROP info
net loc DROP info
net all DROP info
all all REJECT info
gravity linux # grep ^[A-Za-z] /etc/shorewall/rules
DNS/ACCEPT $FW net
SSH/ACCEPT loc $FW
Ping/ACCEPT loc $FW
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
gravity linux # grep ^[A-Za-z] /etc/shorewall/interfaces
net eth1 detect
dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc eth0 detect tcpflags,detectnets,nosmurfs
gravity linux # grep ^[A-Za-z] /etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
gravity linux #
so is it a shorewall config problem or is it somewhere else ?
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
paul cooper wrote:> > so is it a shorewall config problem or is it somewhere else ? >Looks like you haven''t configured either connection tracking or state matching in your kernel. You need both. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
thanks - ive recompiled my kernel ( gentoo) and added the things I think I
need
and have
gravity paul # lsmod
Module Size Used by
xt_state 2048 0
xt_tcpmss 1920 0
xt_tcpudp 2816 0
xt_pkttype 1664 0
iptable_raw 1920 0
xt_CLASSIFY 1664 0
xt_CONNMARK 2304 0
xt_MARK 2048 0
xt_comment 1664 0
xt_length 1792 0
xt_connmark 1920 0
xt_policy 3200 0
xt_multiport 2816 0
xt_conntrack 2304 0
nf_conntrack 45912 4 xt_state,xt_CONNMARK,xt_connmark,xt_conntrack
iptable_mangle 2176 0
ipt_ULOG 6148 0
ipt_TTL 1920 0
ipt_ttl 1664 0
ipt_TOS 1792 0
ipt_tos 1408 0
ipt_REJECT 3328 0
ipt_recent 7064 0
ipt_owner 1792 0
ipt_LOG 5248 0
ipt_iprange 1664 0
ipt_ECN 2432 0
ipt_ecn 1920 0
ipt_ah 1664 0
ipt_addrtype 1664 0
iptable_filter 2304 1
ip_tables 9032 3 iptable_raw,iptable_mangle,iptable_filter
x_tables 10244 28
xt_state,xt_tcpmss,xt_tcpudp,xt_pkttype,xt_CLASSIFY,xt_CONNMARK,xt_MARK,xt_comment,xt_length,xt_connmark,xt_policy,xt_multiport,xt_conntrack,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_REJECT,ipt_recent,ipt_owner,ipt_LOG,ipt_iprange,ipt_ECN,ipt_ecn,ipt_ah,ipt_addrtype,ip_tables
i915 19840 2
michael_mic 2304 6
ieee80211_crypt_tkip 8960 3
pcmcia 32936 0
yenta_socket 21132 2
rsrc_nonstatic 9728 1 yenta_socket
pcmcia_core 31508 3 pcmcia,yenta_socket,rsrc_nonstatic
ipw2100 58800 0
8139cp 16256 0
8139too 19072 0
gravity paul #
gravity paul # cat /usr/src/linux/.config |grep -i conn
CONFIG_NF_CONNTRACK_ENABLED=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
# CONFIG_NF_CONNTRACK_IPV4 is not set
# Connector - unified userspace <-> kernelspace linker
# CONFIG_CONNECTOR is not set
gravity paul # cat /usr/src/linux/.config |grep -i match
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
# CONFIG_NETFILTER_XT_MATCH_DSCP is not set
CONFIG_NETFILTER_XT_MATCH_ESP=m
# CONFIG_NETFILTER_XT_MATCH_HELPER is not set
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
# CONFIG_NETFILTER_XT_MATCH_PHYSDEV is not set
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
# CONFIG_NET_EMATCH is not set
gravity paul #
gravity paul # /etc/init.d/shorewall start
* Starting firewall ...
WARNING: NAT disabled; masq rule ignored
iptables: Invalid argument
ERROR: Command "/sbin/iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: Invalid argument
iptables: Invalid argument
/sbin/shorewall: line 375: 9377 Terminated ${VARDIR}/.start
$debugging start [ !! ]
gravity paul #
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
paul cooper wrote:> thanks - ive recompiled my kernel ( gentoo) and added the things I think I > needPeople who compile their own kernels get to figure out what is needed by themselves. http://www.shorewall.net/kernel.htm may be of some help but given that the Netfilter team love to add/remove/rename options/modules in every release, no documentation on this subject can claim to ever be up to date. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> paul cooper wrote: >> thanks - ive recompiled my kernel ( gentoo) and added the things I think I >> need > > People who compile their own kernels get to figure out what is needed by > themselves. http://www.shorewall.net/kernel.htm may be of some help but > given that the Netfilter team love to add/remove/rename options/modules in > every release, no documentation on this subject can claim to ever be up to date.Incidentally, the issue of Netfilter kernel configuration complexity is one that Linus is personally concerned about. The Netfilter team are currently wrestling with ways to group common options to make configuration more straight-forward in typical cases. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
paul cooper wrote:> iptables: Invalid argument > ERROR: Command "/sbin/iptables -A FORWARD -m state --state''Invalid argument'' often indicates that you need to recompile your iptables against you current kernel source. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/