Subject: iptables and kernel 2.4 etc
Date: Sat, May 19, 2001 at 05:15:17PM +0930
In reply to:David Purton
Quoting David Purton([EMAIL PROTECTED]):
>
> Hi,
>
>
> I just upgraded to kernel 2.4.4 and I'm now trying to return my computer
> to some state of normality.
>
> after finding I missed a crucial option for ppp and a second recompile
> :) I'm now up to getting ipmasqing to work.
>
>
> I wasn't really sure what options to go for in the kernel - so I checked
> everything as modules. An ended up with the following:
>
> ip_conntrack.o ipt_MASQUERADE.o ipt_mac.o ipt_unclean.o
> ip_conntrack_ftp.o ipt_MIRROR.o ipt_mark.o iptable_filter.o
> ip_nat_ftp.o ipt_REDIRECT.o ipt_multiport.o iptable_mangle.o
> ip_queue.o ipt_REJECT.o ipt_owner.o iptable_nat.o
> ip_tables.o ipt_TCPMSS.o ipt_state.o
> ipt_LOG.o ipt_TOS.o ipt_tcpmss.o
I have them all set as modules.
Don't forget to check off these as well
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
CONFIG_NETLINK=y
CONFIG_RTNETLINK=y
# CONFIG_NETLINK_DEV is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
# CONFIG_FILTER is not set
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
>
>
> of course I don't have a huge idea what most of these are, but I've
> managed to sort of get things working by a modprobe -a \*, then running
> ipmasq (problems with which I'll deal with in a sec). and things sort of
> go.
>
> So what I want to know is which of the above modules do I need for a
> masqed network and simple firewalling as a minimum?
Set as modules it doesn't matter. You will only load up the ones you require.
As you get itop iptables a bit more you are sure to add new rules and you
won't have to go back and recompile the kernel to add them
>
> And where do I tell the kernel which I want loaded at boot time in the
> usual way - and everything will be happy?
>
In the firewall script. ie
/sbin/depmod -a
/sbin/modprobe ip_conntrack
/sbin/insmod ipt_REJECT
/sbin/insmod iptable_nat
> Also - when I run ipmasq, it cunningly iserts alsorts of rules into the
> filter table with the net result being that I can't access the net at
> all. (at least - packets get out - but are denied on the way in again).
> This is not helpful as a default (which it is, since I reinstalled the
> ipmasq package after purging it in the hope that my probs would go away)
IP MASQ is done with one rule in iptables
iptables -t nat -A POSTROUTING -o ppp0 -s $INTERNAL_NET -j MASQUERADE
I don't run ipmasq as that is, IIRC, an ipchains method. iptables ia a
big step forward from ipchains.
Take a look at http://netfilter.samba.org. There are a bunch of HOWTO's
available along with links to sample firewall scripts.
HTH
--
Air conditioned environment - Do NOT open Windows!
_______________________________________________________
