Hello,
I''m a brand new linux user, and I''ve been struggling to get
shorewall to work with port knocking. The problem is, shorewall
doesn''t seem to recognize the ipt_recent module (or any netfilter
module, for that matter...).
I''m running a new install of Ubuntu, 7.10, which was installed from
the live alternate installation CD. I''m running shorewall version
3.4.4
When I type: shorewall show capabilities, nothing is available. The output is
part of shorewall dump, so I won''t print it redundantly, but the
relevant line is:
Shorewall has detected the following iptables/netfilter capabilities:
...
Recent Match: Not available
... (all of the modules are "Not available")
Now, I''m pretty sure that iptables has these modules installed.
Concentrating for a moment on ipt_recent (for port knocking), if I type: lsmod |
grep ipt_recent, I get:
ipt_recent 10392 0
x_tables 16260 44
xt_comment,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_NFLOG,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_hashlimit,ip6_tables,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables
So I think it''s there. Also, the relevant modules are listed in
/usr/share/shorewall/modules (I haven''t modified it from the initial
install). It just seems that, for whatever reason, shorewall doesn''t
recognize that it''s there, and won''t use it (or any other of
the netfilter modules, I guess). Shorewall seems to start just fine, so I think
it''s working otherwise. Do I need to modify
/etc/shorewall/shorewall.conf to put the path there explicitly?
If i try locate ipt_recent, I get:
/lib/iptables/libipt_recent.so
/lib/modules/2.6.22-14-generic/kernel/net/ipv4/netfilter/ipt_recent.ko
/usr/src/linux-headers-2.6.22-14/include/linux/netfilter_ipv4/ipt_recent.h
From reading the documentation pages, it SEEMS that the default for Modulesdir
in shorewall.conf should be able to find this, but I explicitly tried putting in
/usr/srx/linux-header.../ipv4/netfilter in /etc/shorewall/shorewall.conf.
Obviously that didn''t work either :)
I''ve been struggling with this for several days now, and have scoured
google, this mailgroup''s archive, ubuntu.com docs, etc... with little
luck. Even the ubuntu irc channel didn''t come up with much. Help!
(Oh, and thanks in advance for any help :).
Below, I''m including the results of ip route show, ip addr show, and
shorewall dump
Thanks again,
Henry
Here are the results of ip route show:
192.168.11.0/24 dev eth0 proto kernel scope link src 192.168.11.7
169.254.0.0/16 dev eth0 scope link metric 1000
default via 192.168.11.1 dev eth0
Here are the results of ip addr show:
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:1a:a0:9e:23:5b brd ff:ff:ff:ff:ff:ff
inet 192.168.11.7/24 brd 192.168.11.255 scope global eth0
inet6 fe80::21a:a0ff:fe9e:235b/64 scope link
valid_lft forever preferred_lft forever
Here are the results of shorewall dump. Again, not how all of the netfilter
modules are listed in modules, but then do not show up as available at the end.
Shorewall 3.4.4 Dump at mediacenter - Mon Dec 17 15:46:23 EST 2007
/sbin/shorewall: 177: -L: not found
Log (/var/log/messages)
NAT Table
/sbin/shorewall: 177: -t: not found
Mangle Table
/sbin/shorewall: 177: -t: not found
Conntrack Table
cat: /proc/net/ip_conntrack: Permission denied
cat: /proc/net/nf_conntrack: Permission denied
IP Configuration
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:1a:a0:9e:23:5b brd ff:ff:ff:ff:ff:ff
inet 192.168.11.7/24 brd 192.168.11.255 scope global eth0
inet6 fe80::21a:a0ff:fe9e:235b/64 scope link
valid_lft forever preferred_lft forever
IP Stats
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
273792 2881 0 0 0 0
TX: bytes packets errors dropped carrier collsns
273792 2881 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:1a:a0:9e:23:5b brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
993887977 202168156 0 0 0 544
TX: bytes packets errors dropped carrier collsns
680215088 107315677 0 0 0 0
/proc
/proc/version = Linux version 2.6.22-14-generic (buildd@palmer) (gcc version
4.1.3 20070929 (prerelease) (Ubuntu 4.1.2-16ubuntu2)) #1 SMP Sun Oct 14 23:05:12
GMT 2007
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 1
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 1
/proc/sys/net/ipv4/conf/default/log_martians = 0
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 1
/proc/sys/net/ipv4/conf/lo/log_martians = 0
Routing Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Table default:
Table local:
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.11.0 dev eth0 proto kernel scope link src 192.168.11.7
local 192.168.11.7 dev eth0 proto kernel scope host src 192.168.11.7
broadcast 192.168.11.255 dev eth0 proto kernel scope link src 192.168.11.7
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
192.168.11.0/24 dev eth0 proto kernel scope link src 192.168.11.7
169.254.0.0/16 dev eth0 scope link metric 1000
default via 192.168.11.1 dev eth0
ARP
? (192.168.11.3) at 00:13:72:C1:A9:9F [ether] on eth0
Modules
iptable_filter 3968 1
iptable_mangle 3840 1
iptable_nat 8708 0
iptable_raw 3328 0
ip_tables 13924 4
iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_addrtype 2816 0
ipt_ah 2944 0
ipt_CLUSTERIP 9988 0
ipt_ecn 3200 0
ipt_ECN 3968 0
ipt_iprange 2816 0
ipt_LOG 7552 12
ipt_MASQUERADE 4608 0
ipt_NETMAP 2944 0
ipt_owner 2944 0
ipt_recent 10392 0
ipt_REDIRECT 2944 0
ipt_REJECT 5760 4
ipt_SAME 3328 0
ipt_tos 2560 0
ipt_TOS 3200 0
ipt_ttl 2816 0
ipt_TTL 3328 0
ipt_ULOG 9988 0
nf_conntrack 65288 29
ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda 6016 1 nf_nat_amanda
nf_conntrack_ftp 11136 1 nf_nat_ftp
nf_conntrack_h323 51804 1 nf_nat_h323
nf_conntrack_ipv4 19724 11 iptable_nat
nf_conntrack_irc 8088 1 nf_nat_irc
nf_conntrack_netbios_ns 3968 0
nf_conntrack_netlink 27648 0
nf_conntrack_pptp 8064 1 nf_nat_pptp
nf_conntrack_proto_gre 6912 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 9736 0
nf_conntrack_sip 10900 1 nf_nat_sip
nf_conntrack_tftp 6676 1 nf_nat_tftp
nf_nat 20140 14
ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_netlink,iptable_nat
nf_nat_amanda 3328 0
nf_nat_ftp 4352 0
nf_nat_h323 8704 0
nf_nat_irc 3712 0
nf_nat_pptp 4736 0
nf_nat_proto_gre 3844 1 nf_nat_pptp
nf_nat_sip 5760 0
nf_nat_snmp_basic 11268 0
nf_nat_tftp 2816 0
xt_CLASSIFY 2816 0
xt_comment 2816 0
xt_connmark 3200 0
xt_CONNMARK 4096 0
xt_conntrack 3840 0
xt_dccp 4484 0
xt_hashlimit 11276 0
xt_helper 3712 0
xt_length 2816 0
xt_limit 3584 0
xt_mac 2816 0
xt_mark 2816 0
xt_MARK 3328 0
xt_multiport 4224 8
xt_NFLOG 3072 0
xt_NFQUEUE 2944 0
xt_physdev 3600 0
xt_pkttype 2816 4
xt_policy 4736 0
xt_state 3456 9
xt_tcpmss 3200 0
xt_tcpudp 4224 27
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Not available
Packet Mangling: Not available
Multi-port Match: Not available
Connection Tracking Match: Not available
Packet Type Match: Not available
Policy Match: Not available
Physdev Match: Not available
Packet length Match: Not available
IP range Match: Not available
Recent Match: Not available
Owner Match: Not available
Ipset Match: Not available
CONNMARK Target: Not available
Connmark Match: Not available
Raw Table: Not available
IPP2P Match: Not available
CLASSIFY Target: Not available
Extended REJECT: Not available
Repeat match: Not available
MARK Target: Not available
Mangle FORWARD Chain: Not available
Comments: Not available
Address Type Match: Not available
TCPMSS Match: Not available
Traffic Control
Device eth0:
qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 12559902207 bytes 107315883 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
TC Filters
Device eth0:
_________________________________________________________________
i’m is proud to present Cause Effect, a series about real people making a
difference.
http://im.live.com/Messenger/IM/MTV/?source=text_Cause_Effect
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Henry Lee wrote:> > When I type: shorewall show capabilities, nothing is available. The > output is part of shorewall dump, so I won''t print it redundantly, but > the relevant line is: > > Shorewall has detected the following iptables/netfilter capabilities: > ... > Recent Match: Not available > ... (all of the modules are "Not available")Looks like you are not running as root.> > Now, I''m pretty sure that iptables has these modules installed. > Concentrating for a moment on ipt_recent (for port knocking), if I type: > lsmod | grep ipt_recent, I get: > > ipt_recent 10392 0 > x_tables 16260 44 > xt_comment,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_NFLOG,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_hashlimit,ip6_tables,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables > > So I think it''s there. Also, the relevant modules are listed in > /usr/share/shorewall/modules (I haven''t modified it from the initial > install). It just seems that, for whatever reason, shorewall doesn''t > recognize that it''s there, and won''t use it (or any other of the > netfilter modules, I guess). Shorewall seems to start just fine, so I > think it''s working otherwise. Do I need to modify > /etc/shorewall/shorewall.conf to put the path there explicitly? > > If i try locate ipt_recent, I get: > > /lib/iptables/libipt_recent.so > /lib/modules/2.6.22-14-generic/kernel/net/ipv4/netfilter/ipt_recent.ko > /usr/src/linux-headers-2.6.22-14/include/linux/netfilter_ipv4/ipt_recent.h > > From reading the documentation pages, it SEEMS that the default for > Modulesdir in shorewall.conf should be able to find this, but I > explicitly tried putting in /usr/srx/linux-header.../ipv4/netfilter in > /etc/shorewall/shorewall.conf. Obviously that didn''t work either :) >> > /sbin/shorewall: 177: -L: not foundLooks like you are not running as root.> > Log (/var/log/messages) > > > NAT Table > > /sbin/shorewall: 177: -t: not foundLooks like you are not running as root.> > Mangle Table > > /sbin/shorewall: 177: -t: not foundLooks like you are not running as root.> > Conntrack Table > > cat: /proc/net/ip_conntrack: Permission denied > cat: /proc/net/nf_conntrack: Permission deniedLooks like you are not running as root. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Henry Lee
2007-Dec-17 21:32 UTC
Re: Shorewall not recognizing iptables/netfilter modules - SOLVED
Tom, Wow ... just, wow. Oh, and thank you. Thank you very much. sudo shorewall show capabilities now lists most of the netfilter modules as available. I''ve been working on this problem for the past 4-5 days or so, and I can''t believe that everything was working just fine, all along. Of course, to realize it was something as basic as running as root, is a bit disconcerting, but I did mention that I was new to linux, didn''t I? (2 weeks and counting) :) Brilliant program, by the way. Thanks again, Henry (extra stuff clipped) _________________________________________________________________ Don''t get caught with egg on your face. Play Chicktionary! http://club.live.com/chicktionary.aspx?icid=chick_wlhmtextlink1_dec ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Andrew Suffield
2007-Dec-17 22:23 UTC
Re: Shorewall not recognizing iptables/netfilter modules
On Mon, Dec 17, 2007 at 01:22:39PM -0800, Tom Eastep wrote:> > Shorewall has detected the following iptables/netfilter capabilities: > > ... > > Recent Match: Not available > > ... (all of the modules are "Not available") > > Looks like you are not running as root.The error message could perhaps be improved. Unfortunately a flat error for uid != 0 would be wrong, since modern Linux systems can be more complicated than just root/not-root, but it would be sensible to generate a warning if this fails completely and the user is not root. I suggest that a suitable trap would be on this part of determine_capabilities(): qt $IPTABLES -N fooX1234 If that fails, then the rest of the exercise is pointless anyway, and either netfilter is missing completely, iptables or the kernel is broken, or the user doesn''t have access. ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Andrew Suffield wrote:> > I suggest that a suitable trap would be on this part of > determine_capabilities(): > > qt $IPTABLES -N fooX1234 > > If that fails, then the rest of the exercise is pointless anyway, and > either netfilter is missing completely, iptables or the kernel is > broken, or the user doesn''t have access.teastep@wookie:~$ shorewall show capabilities iptables v1.3.6: can''t initialize iptables table `filter'': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. ERROR: The command "/sbin/iptables -N fooX1234" failed teastep@wookie:~$ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace