| 1 |
On Thu, 26 Aug 2004 08:52:41 +0200 |
| 2 |
Robert Ullrich <roul76@×××.de> wrote: |
| 3 |
|
| 4 |
*augenreib* Oooah, ist echt noch zu früh für mich. Hab gerade gesehen, dass alles drin ist. Bleibt nur noch die Frage, wird es auch geladen? Am Anfang meines IPTABLES-Skripts habe ich folgendes zu stehen: |
| 5 |
|
| 6 |
MOD="/sbin/modprobe" |
| 7 |
$MOD ip_tables |
| 8 |
$MOD ip_conntrack |
| 9 |
$MOD ipt_LOG |
| 10 |
$MOD ipt_limit |
| 11 |
$MOD ipt_state |
| 12 |
$MOD ip_conntrack_ftp |
| 13 |
$MOD ip_conntrack_irc |
| 14 |
$MOD iptable_filter |
| 15 |
$MOD iptable_nat |
| 16 |
$MOD iptable_mangle |
| 17 |
|
| 18 |
Die Module werden ja nicht zwangsläufig beim booten geladen (Außer, wenn sie in /etc/modules.autoload.d/kernel-2.6 händisch aufgelistet werden.) |
| 19 |
|
| 20 |
Bis denne - Rob |
| 21 |
|
| 22 |
|
| 23 |
> On Thu, 26 Aug 2004 08:34:06 +0200 |
| 24 |
> Sven Brockshus <Sven@×××××××××.de> wrote: |
| 25 |
> |
| 26 |
> > hallo erstmal, |
| 27 |
> > nachdem ich meine workstation von suse auf gentoo umgestellt hab und super |
| 28 |
> > zufrieden bin, ist jetzt der server dran. klappt auch alles super. nur die |
| 29 |
> > firewall kann ich nicht zum laufen bringen. die firewall soll n paar dienste |
| 30 |
> > nach aussen frei geben und das lan ins internet maskieren. nachdem ich 2 tage |
| 31 |
> > lang gegoogelt und auf www.shorewall.net verbracht hab sieht es so aus, als |
| 32 |
> > ob etwas im kernel fehlt. |
| 33 |
> |
| 34 |
> Ja, scheint als ob was fehlt. Hast du folgendes als Modul kompiliert? |
| 35 |
> |
| 36 |
> Device Drivers ---> |
| 37 |
> Networking Support ---> |
| 38 |
> Networking Options ---> |
| 39 |
> [*] Network packet filtering (replaces ipchains) ---> |
| 40 |
> IP: Netfilter Configuration ---> |
| 41 |
> <M> Connection tracking (required for masq/NAT) |
| 42 |
> <M> FTP protocol support |
| 43 |
> <M> IRC protocol support |
| 44 |
> <M> TFTP protocol support |
| 45 |
> < > Amanda backup protocol support |
| 46 |
> < > Userspace queueing via NETLINK |
| 47 |
> <M> IP tables support (required for filtering/masq/NAT) |
| 48 |
> <M> limit match support |
| 49 |
> <M> IP range match support |
| 50 |
> <M> MAC address match support |
| 51 |
> <M> Packet type match support |
| 52 |
> <M> netfilter MARK match support |
| 53 |
> <M> Multiple port match support |
| 54 |
> < > TOS match support |
| 55 |
> < > recent match support |
| 56 |
> < > ECN match support |
| 57 |
> < > DSCP match support |
| 58 |
> < > AH/ESP match support |
| 59 |
> < > LENGTH match support |
| 60 |
> < > TTL match support |
| 61 |
> < > tcpmss match support |
| 62 |
> < > Helper match support |
| 63 |
> <M> Connection state match support |
| 64 |
> <M> Connection tracking match support |
| 65 |
> <M> Owner match support |
| 66 |
> <M> Packet filtering |
| 67 |
> <M> REJECT target support |
| 68 |
> <M> Full NAT |
| 69 |
> <M> MASQUERADE target support |
| 70 |
> <M> REDIRECT target support |
| 71 |
> < > NETMAP target support |
| 72 |
> < > SAME target support |
| 73 |
> [ ] NAT of local connections (READ HELP) |
| 74 |
> < > Basic SNMP-ALG support (EXPERIMENTAL) |
| 75 |
> <M> Packet mangling |
| 76 |
> <M> TOS target support |
| 77 |
> < > ECN target support |
| 78 |
> < > DSCP target support |
| 79 |
> < > MARK target support |
| 80 |
> < > CLASSIFY target support |
| 81 |
> <M> LOG target support |
| 82 |
> < > ULOG target support |
| 83 |
> < > TCPMSS target support |
| 84 |
> <M> ARP tables support |
| 85 |
> <M> ARP packet filtering |
| 86 |
> < > ARP payload mangling |
| 87 |
> < > ipchains (2.2-style) support |
| 88 |
> < > ipfwadm (2.0-style) support |
| 89 |
> < > raw table support (required for NOTRACK/TRACE) |
| 90 |
> |
| 91 |
> Es kann sein, dass das eine oder andere Modul zu viel ist, aber so funktioniert es bei mir. |
| 92 |
> |
| 93 |
> Grüße - Rob |
| 94 |
> |
| 95 |
> |
| 96 |
> >ich hab aber schon alles einkompilliert und als |
| 97 |
> > modul gebaut, was irgentwie mit netzwerk zu tun hat und auch schon |
| 98 |
> > die .config datei nach dem beispiel auf www.shorewall.net verändert. immer |
| 99 |
> > die gleiche fehlermeldung. vielleicht hat ja jemand von euch ne idee - ich |
| 100 |
> > weiß nicht mehr weiter. |
| 101 |
> > |
| 102 |
> > so, butter bei die fische: |
| 103 |
> > |
| 104 |
> > versionen: |
| 105 |
> > kernel: |
| 106 |
> > 2.6.8-gentoo-r1 |
| 107 |
> > |
| 108 |
> > iptables: |
| 109 |
> > v1.2.11 |
| 110 |
> > |
| 111 |
> > shorewall: |
| 112 |
> > 2.0.4 |
| 113 |
> > |
| 114 |
> > startmeldung: |
| 115 |
> > Loading /usr/share/shorewall/functions... |
| 116 |
> > Processing /etc/shorewall/params ... |
| 117 |
> > Processing /etc/shorewall/shorewall.conf... |
| 118 |
> > Loading Modules... |
| 119 |
> > Starting Shorewall... |
| 120 |
> > Initializing... |
| 121 |
> > Shorewall has detected the following iptables/netfilter capabilities: |
| 122 |
> > NAT: Not available |
| 123 |
> > Packet Mangling: Not available |
| 124 |
> > Multi-port Match: Available |
| 125 |
> > Connection Tracking Match: Not available |
| 126 |
> > Determining Zones... |
| 127 |
> > Zones: net loc |
| 128 |
> > Validating interfaces file... |
| 129 |
> > Validating hosts file... |
| 130 |
> > Validating Policy file... |
| 131 |
> > Determining Hosts in Zones... |
| 132 |
> > Net Zone: ppp0:0.0.0.0/0 |
| 133 |
> > Local Zone: eth1:0.0.0.0/0 |
| 134 |
> > Processing /etc/shorewall/init ... |
| 135 |
> > Deleting user chains... |
| 136 |
> > iptables: No chain/target/match by that name |
| 137 |
> > Processing /etc/shorewall/stop ... |
| 138 |
> > iptables: No chain/target/match by that name |
| 139 |
> > iptables: No chain/target/match by that name |
| 140 |
> > IP Forwarding Enabled |
| 141 |
> > Processing /etc/shorewall/stopped ... |
| 142 |
> > Terminated |
| 143 |
> > |
| 144 |
> > meine interfaces: |
| 145 |
> > net ppp0 - routefilter,norfc1918,tcpflags |
| 146 |
> > loc eth1 detect tcpflags |
| 147 |
> > |
| 148 |
> > policy: |
| 149 |
> > loc net ACCEPT |
| 150 |
> > loc fw ACCEPT |
| 151 |
> > fw net ACCEPT |
| 152 |
> > net all DROP info |
| 153 |
> > all all REJECT info |
| 154 |
> > |
| 155 |
> > rules: |
| 156 |
> > ACCEPT net fw tcp 80 |
| 157 |
> > ACCEPT net fw udp 80 |
| 158 |
> > ACCEPT net fw tcp 20 |
| 159 |
> > ACCEPT net fw tcp 21 |
| 160 |
> > ACCEPT net fw tcp 22 |
| 161 |
> > ACCEPT net fw udp 22 |
| 162 |
> > |
| 163 |
> > zones: |
| 164 |
> > net Net Internet |
| 165 |
> > loc Local Local Networks |
| 166 |
> > |
| 167 |
> > .config-auszug (kommt so von www.shorewall.net): |
| 168 |
> > # |
| 169 |
> > # Networking options |
| 170 |
> > # |
| 171 |
> > CONFIG_PACKET=y |
| 172 |
> > # CONFIG_PACKET_MMAP is not set |
| 173 |
> > # CONFIG_NETLINK_DEV is not set |
| 174 |
> > CONFIG_NETFILTER=y |
| 175 |
> > # CONFIG_NETFILTER_DEBUG is not set |
| 176 |
> > CONFIG_FILTER=y |
| 177 |
> > CONFIG_UNIX=y |
| 178 |
> > CONFIG_INET=y |
| 179 |
> > CONFIG_IP_MULTICAST=y |
| 180 |
> > CONFIG_IP_ADVANCED_ROUTER=y |
| 181 |
> > CONFIG_IP_MULTIPLE_TABLES=y |
| 182 |
> > CONFIG_IP_ROUTE_FWMARK=y |
| 183 |
> > CONFIG_IP_ROUTE_NAT=y |
| 184 |
> > CONFIG_IP_ROUTE_MULTIPATH=y |
| 185 |
> > CONFIG_IP_ROUTE_TOS=y |
| 186 |
> > CONFIG_IP_ROUTE_VERBOSE=y |
| 187 |
> > # CONFIG_IP_ROUTE_LARGE_TABLES is not set |
| 188 |
> > # CONFIG_IP_PNP is not set |
| 189 |
> > CONFIG_NET_IPIP=y |
| 190 |
> > CONFIG_NET_IPGRE=y |
| 191 |
> > # CONFIG_NET_IPGRE_BROADCAST is not set |
| 192 |
> > # CONFIG_IP_MROUTE is not set |
| 193 |
> > # CONFIG_ARPD is not set |
| 194 |
> > CONFIG_INET_ECN=y |
| 195 |
> > CONFIG_SYN_COOKIES=y |
| 196 |
> > |
| 197 |
> > # |
| 198 |
> > # IP: Netfilter Configuration |
| 199 |
> > # |
| 200 |
> > CONFIG_IP_NF_CONNTRACK=m |
| 201 |
> > CONFIG_IP_NF_FTP=m |
| 202 |
> > CONFIG_IP_NF_AMANDA=m |
| 203 |
> > CONFIG_IP_NF_TFTP=m |
| 204 |
> > # CONFIG_IP_NF_IRC is not set |
| 205 |
> > # CONFIG_IP_NF_QUEUE is not set |
| 206 |
> > CONFIG_IP_NF_IPTABLES=m |
| 207 |
> > CONFIG_IP_NF_MATCH_LIMIT=m |
| 208 |
> > CONFIG_IP_NF_MATCH_MAC=m |
| 209 |
> > CONFIG_IP_NF_MATCH_PKTTYPE=m |
| 210 |
> > CONFIG_IP_NF_MATCH_MARK=m |
| 211 |
> > CONFIG_IP_NF_MATCH_MULTIPORT=m |
| 212 |
> > CONFIG_IP_NF_MATCH_TOS=m |
| 213 |
> > CONFIG_IP_NF_MATCH_ECN=m |
| 214 |
> > CONFIG_IP_NF_MATCH_DSCP=m |
| 215 |
> > CONFIG_IP_NF_MATCH_AH_ESP=m |
| 216 |
> > CONFIG_IP_NF_MATCH_LENGTH=m |
| 217 |
> > # CONFIG_IP_NF_MATCH_TTL is not set |
| 218 |
> > CONFIG_IP_NF_MATCH_TCPMSS=m |
| 219 |
> > CONFIG_IP_NF_MATCH_HELPER=m |
| 220 |
> > CONFIG_IP_NF_MATCH_STATE=m |
| 221 |
> > CONFIG_IP_NF_MATCH_CONNTRACK=m |
| 222 |
> > CONFIG_IP_NF_MATCH_UNCLEAN=m |
| 223 |
> > # CONFIG_IP_NF_MATCH_OWNER is not set |
| 224 |
> > CONFIG_IP_NF_FILTER=m |
| 225 |
> > CONFIG_IP_NF_TARGET_REJECT=m |
| 226 |
> > # CONFIG_IP_NF_TARGET_MIRROR is not set |
| 227 |
> > CONFIG_IP_NF_NAT=m |
| 228 |
> > CONFIG_IP_NF_NAT_NEEDED=y |
| 229 |
> > CONFIG_IP_NF_TARGET_MASQUERADE=m |
| 230 |
> > CONFIG_IP_NF_TARGET_REDIRECT=m |
| 231 |
> > CONFIG_IP_NF_NAT_AMANDA=m |
| 232 |
> > CONFIG_IP_NF_NAT_LOCAL=y |
| 233 |
> > # CONFIG_IP_NF_NAT_SNMP_BASIC is not set |
| 234 |
> > CONFIG_IP_NF_NAT_FTP=m |
| 235 |
> > CONFIG_IP_NF_NAT_TFTP=m |
| 236 |
> > CONFIG_IP_NF_MANGLE=m |
| 237 |
> > CONFIG_IP_NF_TARGET_TOS=m |
| 238 |
> > CONFIG_IP_NF_TARGET_ECN=m |
| 239 |
> > CONFIG_IP_NF_TARGET_DSCP=m |
| 240 |
> > CONFIG_IP_NF_TARGET_MARK=m |
| 241 |
> > CONFIG_IP_NF_TARGET_LOG=m |
| 242 |
> > CONFIG_IP_NF_TARGET_ULOG=m |
| 243 |
> > CONFIG_IP_NF_TARGET_TCPMSS=m |
| 244 |
> > CONFIG_IP_NF_ARPTABLES=m |
| 245 |
> > CONFIG_IP_NF_ARPFILTER=m |
| 246 |
> > # CONFIG_IP_NF_COMPAT_IPCHAINS is not set |
| 247 |
> > # CONFIG_IP_NF_COMPAT_IPFWADM is not set |
| 248 |
> > |
| 249 |
> > vielen dank schon mal, |
| 250 |
> > |
| 251 |
> > svenna |
| 252 |
> > |
| 253 |
> > |
| 254 |
> > -- |
| 255 |
> > gentoo-user-de@g.o mailing list |
| 256 |
> > |
| 257 |
> |
| 258 |
> -- |
| 259 |
> gentoo-user-de@g.o mailing list |
| 260 |
> |
| 261 |
|
| 262 |
-- |
| 263 |
gentoo-user-de@g.o mailing list |
Archives