PDA

Click to See Complete Forum and Search --> : Kernel 2.6.x with APF firewall

andy18
03-16-2005, 05:09 PM
I have just compiled the kernel on one my server which the kernel version is in 2.4.26 to 2.6.11.3 .

I compile the kernel using the old config I get from 2.4.26 and is booted successfully. However I am getting the error :

iptables v1.2.8: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

with Iptables does not loaded, the apf firewall is not loaded as well.

I recompile the kernel with the following options :

#
# Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
# CONFIG_NETLINK_DEV is not set
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
# CONFIG_IP_MULTICAST is not set
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set

#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_TFTP=m
# CONFIG_IP_NF_TALK is not set
# CONFIG_IP_NF_RSH is not set
# CONFIG_IP_NF_H323 is not set
# CONFIG_IP_NF_EGG is not set
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_QUAKE3 is not set
# CONFIG_IP_NF_CT_PROTO_GRE is not set
# CONFIG_IP_NF_PPTP is not set
# CONFIG_IP_NF_MMS is not set
# CONFIG_IP_NF_CUSEEME is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
# CONFIG_IP_NF_MATCH_RPC is not set
CONFIG_IP_NF_MATCH_LIMIT=m
# CONFIG_IP_NF_MATCH_QUOTA is not set
# CONFIG_IP_NF_POOL is not set
# CONFIG_IP_NF_MATCH_IPRANGE is not set
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
# CONFIG_IP_NF_MATCH_MPORT is not set
CONFIG_IP_NF_MATCH_TOS=m
# CONFIG_IP_NF_MATCH_RECENT is not set
# CONFIG_IP_NF_MATCH_TIME is not set
# CONFIG_IP_NF_MATCH_RANDOM is not set
# CONFIG_IP_NF_MATCH_PSD is not set
# CONFIG_IP_NF_MATCH_NTH is not set
# CONFIG_IP_NF_MATCH_IPV4OPTIONS is not set
# CONFIG_IP_NF_MATCH_FUZZY is not set
# CONFIG_IP_NF_MATCH_CONDITION is not set
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
# CONFIG_IP_NF_MATCH_STEALTH is not set
# CONFIG_IP_NF_MATCH_REALM is not set
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNMARK=m
# CONFIG_IP_NF_MATCH_CONNLIMIT is not set
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
# CONFIG_IP_NF_MATCH_STRING is not set
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
# CONFIG_IP_NF_TARGET_NETLINK is not set
# CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP is not set
CONFIG_IP_NF_TARGET_MIRROR=m
# CONFIG_IP_NF_TARGET_TARPIT is not set
# CONFIG_IP_NF_NAT is not set
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
# CONFIG_IP_NF_TARGET_IMQ is not set
# CONFIG_IP_NF_TARGET_CLASSIFY is not set
CONFIG_IP_NF_TARGET_LOG=m
# CONFIG_IP_NF_TARGET_ROUTE is not set
# CONFIG_IP_NF_TARGET_CONNMARK is not set
# CONFIG_IP_NF_TARGET_TTL is not set
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set

Server booted fine and iptables loaded. However, when I attempt to restart the apf firewall ( to test ), I get the following messages :

FATAL: Module ipt_state already in kernel.
FATAL: Module ipt_multiport already in kernel.
FATAL: Module iptable_filter already in kernel.
FATAL: Module ipt_limit already in kernel.
FATAL: Module ipt_LOG already in kernel.
FATAL: Module ipt_REJECT already in kernel.
FATAL: Module ip_conntrack already in kernel.
FATAL: Module ip_conntrack_irc already in kernel.
FATAL: Module ip_conntrack_ftp already in kernel.
FATAL: Module iptable_mangle already in kernel.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

Can anyone light me up on this issue ?
je_fro
03-17-2005, 01:47 AM
modprobe iptable_filter

If that fails, have a look at:

<M> Packet filtering

That's what it's looking for, and it's in IP: Netfilter Configuration

<edit>

BAH!!

I see you have it built in already....looks like your firewall script is trying to load modules that were built in instead. Try recompiling iptables, I recall that helped me once.

Here's my relevant sections:

# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_UNIX=y
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_IP_ROUTE_FWMARK is not set
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
# CONFIG_SYN_COOKIES is not set
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
# CONFIG_INET_TUNNEL is not set

# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
# CONFIG_IP_NF_MATCH_IPRANGE is not set
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
CONFIG_IP_NF_MATCH_TOS=m
# CONFIG_IP_NF_MATCH_RECENT is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
# CONFIG_IP_NF_MATCH_OWNER is not set
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
# CONFIG_IP_NF_MATCH_COMMENT is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
# CONFIG_IP_NF_TARGET_REDIRECT is not set
# CONFIG_IP_NF_TARGET_NETMAP is not set
# CONFIG_IP_NF_TARGET_SAME is not set
# CONFIG_IP_NF_NAT_LOCAL is not set
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
# CONFIG_IP_NF_TARGET_ECN is not set
# CONFIG_IP_NF_TARGET_DSCP is not set
CONFIG_IP_NF_TARGET_MARK=m
# CONFIG_IP_NF_TARGET_CLASSIFY is not set
# CONFIG_IP_NF_RAW is not set
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
andy18
03-17-2005, 10:56 AM
. Try recompiling iptables, I recall that helped me once.


do u mean recompile the whole kernel again using the same config?
je_fro
03-17-2005, 11:12 AM
recompile (or reinstall) the iptables program itself.
bwkaz
03-17-2005, 06:42 PM
As in, the package here:

http://www.iptables.org/downloads.html

;)

I'm thinking that the issue could easily be the older version of the iptables binary that you have (1.2.8) when the newest version is 1.3.1. Since you have a much newer kernel (the newest), the issue might be that you need the newest iptables binary.

I'm not sure how hard the installation is; it's been quite some time since I did it myself. I think it's fairly easy, though, as long as you point it to the kernel sources. (Unfortunately, I don't think it worked against sanitized headers, which means it's technically broken. Nothing in userspace should require access to the actual kernel sources. But try pointing it to /usr first, and only use the actual kernel sources if that doesn't work.)
je_fro
03-18-2005, 12:28 AM
I compiled it a few weeks ago...you can point patch-o-matic at your includes, but iptables heads straight for /usr/src/linux.
andy18
03-18-2005, 05:11 PM
everything runs fine now .. thanks guys !

I am seeing this message in the /var/log/messages , any idea ?

Mar 19 04:56:05 perakwe kernel: warning: process `update' used the obsolete bdflush system call
Mar 19 04:56:05 perakwe kernel: Fix your initscripts?
Mar 19 04:56:10 perakwe kernel: warning: process `update' used the obsolete bdflush system call
Mar 19 04:56:10 perakwe kernel: Fix your initscripts?

the box is running RH8.0 actually.
je_fro
03-21-2005, 10:14 AM
http://www.ussg.iu.edu/hypermail/linux/kernel/0402.1/1277.html