Hello, I''m a brand new linux user, and I''ve been struggling to get shorewall to work with port knocking. The problem is, shorewall doesn''t seem to recognize the ipt_recent module (or any netfilter module, for that matter...). I''m running a new install of Ubuntu, 7.10, which was installed from the live alternate installation CD. I''m running shorewall version 3.4.4 When I type: shorewall show capabilities, nothing is available. The output is part of shorewall dump, so I won''t print it redundantly, but the relevant line is: Shorewall has detected the following iptables/netfilter capabilities: ... Recent Match: Not available ... (all of the modules are "Not available") Now, I''m pretty sure that iptables has these modules installed. Concentrating for a moment on ipt_recent (for port knocking), if I type: lsmod | grep ipt_recent, I get: ipt_recent 10392 0 x_tables 16260 44 xt_comment,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_NFLOG,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_hashlimit,ip6_tables,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables So I think it''s there. Also, the relevant modules are listed in /usr/share/shorewall/modules (I haven''t modified it from the initial install). It just seems that, for whatever reason, shorewall doesn''t recognize that it''s there, and won''t use it (or any other of the netfilter modules, I guess). Shorewall seems to start just fine, so I think it''s working otherwise. Do I need to modify /etc/shorewall/shorewall.conf to put the path there explicitly? If i try locate ipt_recent, I get: /lib/iptables/libipt_recent.so /lib/modules/2.6.22-14-generic/kernel/net/ipv4/netfilter/ipt_recent.ko /usr/src/linux-headers-2.6.22-14/include/linux/netfilter_ipv4/ipt_recent.h From reading the documentation pages, it SEEMS that the default for Modulesdir in shorewall.conf should be able to find this, but I explicitly tried putting in /usr/srx/linux-header.../ipv4/netfilter in /etc/shorewall/shorewall.conf. Obviously that didn''t work either :) I''ve been struggling with this for several days now, and have scoured google, this mailgroup''s archive, ubuntu.com docs, etc... with little luck. Even the ubuntu irc channel didn''t come up with much. Help! (Oh, and thanks in advance for any help :). Below, I''m including the results of ip route show, ip addr show, and shorewall dump Thanks again, Henry Here are the results of ip route show: 192.168.11.0/24 dev eth0 proto kernel scope link src 192.168.11.7 169.254.0.0/16 dev eth0 scope link metric 1000 default via 192.168.11.1 dev eth0 Here are the results of ip addr show: 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:1a:a0:9e:23:5b brd ff:ff:ff:ff:ff:ff inet 192.168.11.7/24 brd 192.168.11.255 scope global eth0 inet6 fe80::21a:a0ff:fe9e:235b/64 scope link valid_lft forever preferred_lft forever Here are the results of shorewall dump. Again, not how all of the netfilter modules are listed in modules, but then do not show up as available at the end. Shorewall 3.4.4 Dump at mediacenter - Mon Dec 17 15:46:23 EST 2007 /sbin/shorewall: 177: -L: not found Log (/var/log/messages) NAT Table /sbin/shorewall: 177: -t: not found Mangle Table /sbin/shorewall: 177: -t: not found Conntrack Table cat: /proc/net/ip_conntrack: Permission denied cat: /proc/net/nf_conntrack: Permission denied IP Configuration 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:1a:a0:9e:23:5b brd ff:ff:ff:ff:ff:ff inet 192.168.11.7/24 brd 192.168.11.255 scope global eth0 inet6 fe80::21a:a0ff:fe9e:235b/64 scope link valid_lft forever preferred_lft forever IP Stats 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 273792 2881 0 0 0 0 TX: bytes packets errors dropped carrier collsns 273792 2881 0 0 0 0 2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:1a:a0:9e:23:5b brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 993887977 202168156 0 0 0 544 TX: bytes packets errors dropped carrier collsns 680215088 107315677 0 0 0 0 /proc /proc/version = Linux version 2.6.22-14-generic (buildd@palmer) (gcc version 4.1.3 20070929 (prerelease) (Ubuntu 4.1.2-16ubuntu2)) #1 SMP Sun Oct 14 23:05:12 GMT 2007 /proc/sys/net/ipv4/ip_forward = 1 /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 /proc/sys/net/ipv4/conf/all/proxy_arp = 0 /proc/sys/net/ipv4/conf/all/arp_filter = 0 /proc/sys/net/ipv4/conf/all/arp_ignore = 0 /proc/sys/net/ipv4/conf/all/rp_filter = 1 /proc/sys/net/ipv4/conf/all/log_martians = 0 /proc/sys/net/ipv4/conf/default/proxy_arp = 0 /proc/sys/net/ipv4/conf/default/arp_filter = 0 /proc/sys/net/ipv4/conf/default/arp_ignore = 0 /proc/sys/net/ipv4/conf/default/rp_filter = 1 /proc/sys/net/ipv4/conf/default/log_martians = 0 /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0 /proc/sys/net/ipv4/conf/eth0/rp_filter = 0 /proc/sys/net/ipv4/conf/eth0/log_martians = 1 /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 /proc/sys/net/ipv4/conf/lo/arp_filter = 0 /proc/sys/net/ipv4/conf/lo/arp_ignore = 0 /proc/sys/net/ipv4/conf/lo/rp_filter = 1 /proc/sys/net/ipv4/conf/lo/log_martians = 0 Routing Rules 0: from all lookup local 32766: from all lookup main 32767: from all lookup default Table default: Table local: broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 192.168.11.0 dev eth0 proto kernel scope link src 192.168.11.7 local 192.168.11.7 dev eth0 proto kernel scope host src 192.168.11.7 broadcast 192.168.11.255 dev eth0 proto kernel scope link src 192.168.11.7 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Table main: 192.168.11.0/24 dev eth0 proto kernel scope link src 192.168.11.7 169.254.0.0/16 dev eth0 scope link metric 1000 default via 192.168.11.1 dev eth0 ARP ? (192.168.11.3) at 00:13:72:C1:A9:9F [ether] on eth0 Modules iptable_filter 3968 1 iptable_mangle 3840 1 iptable_nat 8708 0 iptable_raw 3328 0 ip_tables 13924 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter ipt_addrtype 2816 0 ipt_ah 2944 0 ipt_CLUSTERIP 9988 0 ipt_ecn 3200 0 ipt_ECN 3968 0 ipt_iprange 2816 0 ipt_LOG 7552 12 ipt_MASQUERADE 4608 0 ipt_NETMAP 2944 0 ipt_owner 2944 0 ipt_recent 10392 0 ipt_REDIRECT 2944 0 ipt_REJECT 5760 4 ipt_SAME 3328 0 ipt_tos 2560 0 ipt_TOS 3200 0 ipt_ttl 2816 0 ipt_TTL 3328 0 ipt_ULOG 9988 0 nf_conntrack 65288 29 ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4 nf_conntrack_amanda 6016 1 nf_nat_amanda nf_conntrack_ftp 11136 1 nf_nat_ftp nf_conntrack_h323 51804 1 nf_nat_h323 nf_conntrack_ipv4 19724 11 iptable_nat nf_conntrack_irc 8088 1 nf_nat_irc nf_conntrack_netbios_ns 3968 0 nf_conntrack_netlink 27648 0 nf_conntrack_pptp 8064 1 nf_nat_pptp nf_conntrack_proto_gre 6912 1 nf_conntrack_pptp nf_conntrack_proto_sctp 9736 0 nf_conntrack_sip 10900 1 nf_nat_sip nf_conntrack_tftp 6676 1 nf_nat_tftp nf_nat 20140 14 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_netlink,iptable_nat nf_nat_amanda 3328 0 nf_nat_ftp 4352 0 nf_nat_h323 8704 0 nf_nat_irc 3712 0 nf_nat_pptp 4736 0 nf_nat_proto_gre 3844 1 nf_nat_pptp nf_nat_sip 5760 0 nf_nat_snmp_basic 11268 0 nf_nat_tftp 2816 0 xt_CLASSIFY 2816 0 xt_comment 2816 0 xt_connmark 3200 0 xt_CONNMARK 4096 0 xt_conntrack 3840 0 xt_dccp 4484 0 xt_hashlimit 11276 0 xt_helper 3712 0 xt_length 2816 0 xt_limit 3584 0 xt_mac 2816 0 xt_mark 2816 0 xt_MARK 3328 0 xt_multiport 4224 8 xt_NFLOG 3072 0 xt_NFQUEUE 2944 0 xt_physdev 3600 0 xt_pkttype 2816 4 xt_policy 4736 0 xt_state 3456 9 xt_tcpmss 3200 0 xt_tcpudp 4224 27 Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Not available Multi-port Match: Not available Connection Tracking Match: Not available Packet Type Match: Not available Policy Match: Not available Physdev Match: Not available Packet length Match: Not available IP range Match: Not available Recent Match: Not available Owner Match: Not available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Not available IPP2P Match: Not available CLASSIFY Target: Not available Extended REJECT: Not available Repeat match: Not available MARK Target: Not available Mangle FORWARD Chain: Not available Comments: Not available Address Type Match: Not available TCPMSS Match: Not available Traffic Control Device eth0: qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 12559902207 bytes 107315883 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 TC Filters Device eth0: _________________________________________________________________ i’m is proud to present Cause Effect, a series about real people making a difference. http://im.live.com/Messenger/IM/MTV/?source=text_Cause_Effect ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Henry Lee wrote:> > When I type: shorewall show capabilities, nothing is available. The > output is part of shorewall dump, so I won''t print it redundantly, but > the relevant line is: > > Shorewall has detected the following iptables/netfilter capabilities: > ... > Recent Match: Not available > ... (all of the modules are "Not available")Looks like you are not running as root.> > Now, I''m pretty sure that iptables has these modules installed. > Concentrating for a moment on ipt_recent (for port knocking), if I type: > lsmod | grep ipt_recent, I get: > > ipt_recent 10392 0 > x_tables 16260 44 > xt_comment,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_NFLOG,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_hashlimit,ip6_tables,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables > > So I think it''s there. Also, the relevant modules are listed in > /usr/share/shorewall/modules (I haven''t modified it from the initial > install). It just seems that, for whatever reason, shorewall doesn''t > recognize that it''s there, and won''t use it (or any other of the > netfilter modules, I guess). Shorewall seems to start just fine, so I > think it''s working otherwise. Do I need to modify > /etc/shorewall/shorewall.conf to put the path there explicitly? > > If i try locate ipt_recent, I get: > > /lib/iptables/libipt_recent.so > /lib/modules/2.6.22-14-generic/kernel/net/ipv4/netfilter/ipt_recent.ko > /usr/src/linux-headers-2.6.22-14/include/linux/netfilter_ipv4/ipt_recent.h > > From reading the documentation pages, it SEEMS that the default for > Modulesdir in shorewall.conf should be able to find this, but I > explicitly tried putting in /usr/srx/linux-header.../ipv4/netfilter in > /etc/shorewall/shorewall.conf. Obviously that didn''t work either :) >> > /sbin/shorewall: 177: -L: not foundLooks like you are not running as root.> > Log (/var/log/messages) > > > NAT Table > > /sbin/shorewall: 177: -t: not foundLooks like you are not running as root.> > Mangle Table > > /sbin/shorewall: 177: -t: not foundLooks like you are not running as root.> > Conntrack Table > > cat: /proc/net/ip_conntrack: Permission denied > cat: /proc/net/nf_conntrack: Permission deniedLooks like you are not running as root. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Henry Lee
2007-Dec-17 21:32 UTC
Re: Shorewall not recognizing iptables/netfilter modules - SOLVED
Tom, Wow ... just, wow. Oh, and thank you. Thank you very much. sudo shorewall show capabilities now lists most of the netfilter modules as available. I''ve been working on this problem for the past 4-5 days or so, and I can''t believe that everything was working just fine, all along. Of course, to realize it was something as basic as running as root, is a bit disconcerting, but I did mention that I was new to linux, didn''t I? (2 weeks and counting) :) Brilliant program, by the way. Thanks again, Henry (extra stuff clipped) _________________________________________________________________ Don''t get caught with egg on your face. Play Chicktionary! http://club.live.com/chicktionary.aspx?icid=chick_wlhmtextlink1_dec ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Andrew Suffield
2007-Dec-17 22:23 UTC
Re: Shorewall not recognizing iptables/netfilter modules
On Mon, Dec 17, 2007 at 01:22:39PM -0800, Tom Eastep wrote:> > Shorewall has detected the following iptables/netfilter capabilities: > > ... > > Recent Match: Not available > > ... (all of the modules are "Not available") > > Looks like you are not running as root.The error message could perhaps be improved. Unfortunately a flat error for uid != 0 would be wrong, since modern Linux systems can be more complicated than just root/not-root, but it would be sensible to generate a warning if this fails completely and the user is not root. I suggest that a suitable trap would be on this part of determine_capabilities(): qt $IPTABLES -N fooX1234 If that fails, then the rest of the exercise is pointless anyway, and either netfilter is missing completely, iptables or the kernel is broken, or the user doesn''t have access. ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Andrew Suffield wrote:> > I suggest that a suitable trap would be on this part of > determine_capabilities(): > > qt $IPTABLES -N fooX1234 > > If that fails, then the rest of the exercise is pointless anyway, and > either netfilter is missing completely, iptables or the kernel is > broken, or the user doesn''t have access.teastep@wookie:~$ shorewall show capabilities iptables v1.3.6: can''t initialize iptables table `filter'': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. ERROR: The command "/sbin/iptables -N fooX1234" failed teastep@wookie:~$ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace