[lug] RH 7.x word of caution
kevin at scrye.com
kevin at scrye.com
Wed Jun 6 23:44:46 MDT 2001
>>>>> "DStimits" == D Stimits <stimits at idcomm.com> writes:
DStimits> Much of my experimenting has been thwarted by iptables
DStimits> cussing at me for not having a module for a table. I am, at
DStimits> the moment, compiling a kernel with every single network
DStimits> option possibly related to iptables created as a module. As
DStimits> I figure it out, I will delete unused modules.
yeah...thats the way to go. netfilter is kinda setup to be all modules...
>> huh? what is required to be downloaded seperatly? cite?
DStimits> Kernel source tree, 2.4.5, Documentation/Changes: General
DStimits> changes ---------------
DStimits> The IP firewalling and NAT code has been replaced again.
DStimits> The new netfilter software (including ipfwadm and ipchains
DStimits> backwards- compatible modules) is currently distributed
DStimits> separately. ... ... ... Netfilter --------- o
DStimits> <http://netfilter.filewatcher.org/iptables-1.2.tar.bz2> o
DStimits> <http://netfilter.samba.org/iptables-1.2.tar.bz2> o
DStimits> <http://netfilter.kernelnotes.org/iptables-1.2.tar.bz2>
DStimits> NOTE: I downloaded and installed this. It lacks any real
DStimits> documentation, at least the version downloaded from
DStimits> filewatcher.org.
ah...yeah, you need the 'iptables' command for userspace. Just like
you need ipchains or ipfwadm. This is only the tool that lets you set
rules. It can't really be a part of the kernel.
>> they load the 'ipchains' compatibility module. Then everything
>> works just like 2.2.x...
DStimits> My big question of the day...where can I get this module? It
DStimits> is apparently not part of the kernel source. I have a large
DStimits> set of very useful ipchains rules I'd love to operate until
DStimits> I get iptables figured out. This module would solve many
DStimits> problems for me, at least for a while.
Yes, it is part of the standard kernel. It's:
CONFIG_IP_NF_COMPAT_IPCHAINS
ipchains (2.2-style) support
CONFIG_IP_NF_COMPAT_IPCHAINS
This option places ipchains (with masquerading and redirection
support) back into the kernel, using the new netfilter
infrastructure. It is not recommended for new installations (see
`Packet filtering'). With this enabled, you should be able to use
the ipchains tool exactly as in 2.2 kernels.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
If you built iptables or ipfwadm into the kernel, you won't see this
one. You can only have one at a time. You can build them all as
modules tho...when you load the ipchains module, everything will work
like you are on a 2.2.x kernel with ipchains.
>> the sender had to restart? thats very weird. What was in your
>> chain?
DStimits> The machine sending is what I tested a DENY for output. I
DStimits> simply denied TCP to telnet port 23 going out on the
DStimits> ethernet to an internal network machine. Prior telnets
DStimits> worked fine, once I did this in /etc/sysconfig/iptables (and
DStimits> restarted iptables): -A OUTPUT -p tcp -s 0/0 -t filter -d
DStimits> 10.0.0.2/32 --dport 23 -o eth0 -j REJECT
DStimits> The result was, on the receiving machine at the other end,
DStimits> in /var/log/messages: xinetd[1064]: execv(
DStimits> /usr/sbin/in.telnetd ) failed: Bad address (errno = 14)
DStimits> From that point, rebooting the machine that sent the attempt
DStimits> to login by telnet did not matter. I had to go to the other
DStimits> machine and run /etc/rc.d/init.d/xinetd restart. No more
DStimits> telnet connections would succeed till then.
humm...a telnetd or xinetd bug sounds like. It should respawn that
command on the next attempt. ;(
kevin
--
Kevin Fenzi
MTS, tummy.com, ltd.
http://www.tummy.com/ KRUD - Kevin's Red Hat Uber Distribution
More information about the LUG
mailing list