On Sun, 04 Apr 2004 15:19:39 -0500, dircha <[EMAIL PROTECTED]> wrote:
> I recall that lokkit never worked for me either. That prompted me just > to learn how to use iptables manually, so I never figured out why lokkit > was failing. > > After bringing it up manually, try: > # iptables -L > to be sure that it isn't just failing and suppressing the output, or > failing and redirecting the ouput elsewhere. No, iptables -L gives the right results. > If the rules are being loaded when you bring it up manually, it's really > hard to say what the problem might be, which is why I suspect it is just > silently failing. > > If you could copy to the list the output of "$ ls /etc/rc*.d", "$ cat > /etc/modules", "# iptables -L", "$ lsmod", and the contents of the rules > script generated by lokkit, I could get a better idea of what is going > on. At least these are the places I would look if I were going about > diagnosing the problem on one of my own systems. Ok. Output follows. Thanks. > My hunch is that if it is silently failing when you bring it up > manually, that the problem is that there are kernel modules not being > loaded which are needed by iptables. No, that is not the problem. ***************************** $ ls /etc/rc*.d ***************************** /etc/rc0.d: K01kdm K01xdm K11cron K14ppp K15fetchmail K19aumix K19setserial K19spamassassin K20apache K20apache2 K20athcool K20bastille-firewall K20cupsys K20exim K20inetd K20lpd K20lprng K20makedev K20rsync K20ssh K20timidity K20udftools K20xfs K20xprint K21alsa K23ntp-server K25hwclock.sh K30etc-setserial K55usbmgr K75hdparm K89atd K89hotplug K89klogd K89shorewall K90sysklogd K99lokkit S20sendsigs S30urandom S31umountnfs.sh S35networking S40umountfs S90halt /etc/rc1.d: K01kdm K01xdm K11cron K14ppp K15fetchmail K19aumix K19spamassassin K20apache K20apache2 K20athcool K20bastille-firewall K20cupsys K20exim K20inetd K20lpd K20lprng K20makedev K20rsync K20ssh K20timidity K20udftools K20xfs K20xprint K21alsa K23ntp-server K55usbmgr K89atd K89klogd K90sysklogd K99lokkit S11hotplug S20single S21aumix /etc/rc2.d: K11anacron S01lokkit S10sysklogd S11hotplug S11klogd S14ppp S15usbmgr S19spamassassin S20alsa S20apache2 S20athcool S20bastille-firewall S20cupsys S20exim S20inetd S20lpd S20lprng S20makedev S20rsync S20ssh S20timidity S20udftools S20xfs S20xprint S21aumix S23ntp-server S89anacron S89atd S89cron S91apache S99fetchmail S99kdm S99rmnologin S99stop-bootlogd S99xdm /etc/rc3.d: K11anacron S01lokkit S10sysklogd S11hotplug S11klogd S14ppp S15usbmgr S19spamassassin S20alsa S20apache2 S20athcool S20bastille-firewall S20cupsys S20exim S20inetd S20lpd S20lprng S20makedev S20rsync S20ssh S20timidity S20udftools S20xfs S20xprint S21aumix S23ntp-server S89anacron S89atd S89cron S91apache S99fetchmail S99kdm S99rmnologin S99stop-bootlogd S99xdm /etc/rc4.d: K11anacron S01lokkit S10sysklogd S11hotplug S11klogd S14ppp S15usbmgr S19spamassassin S20alsa S20apache2 S20athcool S20bastille-firewall S20cupsys S20exim S20inetd S20lpd S20lprng S20makedev S20rsync S20ssh S20timidity S20udftools S20xfs S20xprint S21aumix S23ntp-server S89anacron S89atd S89cron S91apache S99fetchmail S99kdm S99rmnologin S99stop-bootlogd S99xdm /etc/rc5.d: K11anacron S01lokkit S10sysklogd S11hotplug S11klogd S14ppp S15usbmgr S19spamassassin S20alsa S20apache2 S20athcool S20bastille-firewall S20cupsys S20exim S20inetd S20lpd S20lprng S20makedev S20rsync S20ssh S20timidity S20udftools S20xfs S20xprint S21aumix S23ntp-server S89anacron S89atd S89cron S91apache S99fetchmail S99kdm S99rmnologin S99stop-bootlogd S99xdm /etc/rc6.d: K01kdm K01xdm K11cron K14ppp K15fetchmail K19aumix K19setserial K19spamassassin K20apache K20apache2 K20athcool K20bastille-firewall K20cupsys K20exim K20inetd K20lpd K20lprng K20makedev K20rsync K20ssh K20timidity K20udftools K20xfs K20xprint K21alsa K23ntp-server K25hwclock.sh K30etc-setserial K55usbmgr K75hdparm K89atd K89hotplug K89klogd K89shorewall K90sysklogd K99lokkit S20sendsigs S30urandom S31umountnfs.sh S35networking S40umountfs S90reboot /etc/rcS.d: README S02mountvirtfs S05bootlogd S05keymap.sh S07hdparm S10checkroot.sh S18hwclockfirst.sh S20module-init-tools S20modutils S30checkfs.sh S30etc-setserial S30procps.sh S35devpts.sh S35mountall.sh S35mountkernfs S36discover S36hotplug S38pppd-dns S39dns-clean S39ifupdown S40hostname.sh S40networking S40shorewall S45mountnfs.sh S46setserial S48console-screen.sh S50hwclock.sh S51ntpdate S55bootmisc.sh S55urandom S70screen-cleanup S70xfree86-common S75sudo ************************* /etc/modules ************************* # /etc/modules: kernel modules to load at boot time. # # This file should contain the names of kernel modules that are # to be loaded at boot time, one per line. Comments begin with # a "#", and everything on the line after them are ignored. usb-uhci input usbkbd keybdev emu10k1 usbmouse agpgart parport parport_pc isa-pnp hid input keybdev usbkbd #added 7th June 2002 by Faheem apm #added 17th February 2004 by Faheem psmouse *************************** iptables -L *************************** Chain INPUT (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc ACCEPT all -- anywhere anywhere ACCEPT udp -- ns1.mindspring.com anywhere udp spt:domain ACCEPT udp -- ns2.mindspring.com anywhere udp spt:domain ACCEPT udp -- ns3.mindspring.com anywhere udp spt:domain REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable ****************************** lsmod ****************************** Module Size Used by Not tainted ipt_REJECT 3992 2 (autoclean) mga 94460 11 iptable_filter 1772 1 (autoclean) ip_tables 12288 2 [ipt_REJECT iptable_filter] mousedev 4180 1 lp 6176 0 (autoclean) apm 10028 1 hid 15240 0 (unused) parport_pc 13444 1 parport 14272 1 [lp parport_pc] agpgart 16444 3 emu10k1 56140 0 ac97_codec 13428 0 [emu10k1] keybdev 2116 0 (unused) input 3424 0 [mousedev hid keybdev] usb-uhci 23248 0 (unused) ********************************* /etc/default/lokkit ********************************* #!/bin/sh PATH=/sbin:$PATH iptables -N RH-Lokkit-0-50-INPUT iptables -F RH-Lokkit-0-50-INPUT iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT iptables -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 207.69.188.185 --sport 53 -d 0/0 -j ACCEPT iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 207.69.188.186 --sport 53 -d 0/0 -j ACCEPT iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 207.69.188.187 --sport 53 -d 0/0 -j ACCEPT iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
