Re: [gentoo-user] OT - Need help enabling iptables support in kernel - gentoo-user

From:	Bryan Whitehead <driver@×××××××××.net>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] OT - Need help enabling iptables support in kernel
Date:	Tue, 13 Nov 2007 07:03:14
Message-Id:	`5cd1cd690711122255l2efb6726o620d9b90e461c4e3@mail.gmail.com`
In Reply to:	Re: [gentoo-user] OT - Need help enabling iptables support in kernel by Walter Dnes

1

I don't see what the big deal is - you are choosing to do everything

2

manually by running gentoo and compiling your own kernel. If you don't

3

like having to learn things like this why not use Ubuntu or Fedora?

4

5

On Nov 12, 2007 8:35 PM, Walter Dnes <waltdnes@××××××××.org> wrote:

6

> On Sat, Nov 10, 2007 at 10:53:52AM -0600, Michael Sullivan wrote

7

> > On Sat, 2007-11-10 at 15:40 +0200, Daniel Iliev wrote:

8

> > >

9

> > > I believe your problem comes from:

10

> > >

11

> > >  # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set

12

> > >

13

> > > Build this module and try again.

14

> > >

15

> > This option isn't even available in my config.  Should I add it?  Will

16

> > it work with the kernel I'm running (2.6.22-hardened-r8)

17

>

18

>   I'm beginning to long for the good ole days of ipchains.  Is it still

19

> maintained?  iptables has been scattered all over hell's-half-acre, and

20

> you need to run around enabling things all over the place to make it

21

> work.  Here are some things enabled in my setup via "make menuconfig".

22

> Note that this is just for filtering out the bad guys.  I do not do any

23

> masq/nat/mangling/etc with iptables.  *IMPORTANT NOTE* you *MUST* enable

24

> the item...  "IPv4 connection tracking support (required for NAT)" in

25

> order for state matching to work.  I found this out "the hard way".

26

>

27

> Networking  --->

28

> [*] Networking support

29

>       Networking options  --->

30

>       [*] Network packet filtering framework (Netfilter)  --->

31

>             Core Netfilter Configuration  --->

32

>             <*> Netfilter connection tracking support

33

>             --- Netfilter Xtables support (required for ip_tables)

34

>                 <*>   "CLASSIFY" target support

35

>                 <*>   "MARK" target support

36

>                 <*>   "NFQUEUE" target Support

37

>                 < >   "NFLOG" target support

38

>                 < >   "TCPMSS" target support

39

>                 <*>   "comment" match support

40

>                 < >   "connbytes" per-connection counter match support

41

>                 < >   "connmark" connection mark match support

42

>                 < >   "conntrack" connection tracking match support

43

>                 <*>   "DCCP" protocol match support

44

>                 < >   "DSCP" match support

45

>                 < >   "ESP" match support

46

>                 < >   "helper" match support

47

>                 <*>   "length" match support

48

>                 <*>   "limit" match support

49

>                 <*>   "mac" address match support

50

>                 <*>   "mark" match support

51

>                 <*>   Multiple port match support

52

>                 <*>   "pkttype" packet type match support

53

>                 < >   "quota" match support

54

>                 <*>   "realm" match support

55

>                 <*>   "sctp" protocol match support (EXPERIMENTAL)

56

>                 <*>   "state" match support

57

>                 < >   "statistic" match support

58

>                 <*>   "string" match support

59

>

60

>             IP: Netfilter Configuration  --->

61

>                 <*> IPv4 connection tracking support (required for NAT)

62

>                 [*]   proc/sysctl compatibility with old connection tracking

63

>                 < > IP Userspace queueing via NETLINK (OBSOLETE)

64

>                 <*> IP tables support (required for filtering/masq/NAT)

65

>                 <*>   IP range match support

66

>                 <*>   TOS match support

67

>                 <*>   recent match support

68

>                 < >   ECN match support

69

>                 < >   AH match support

70

>                 <*>   TTL match support

71

>                 <*>   Owner match support

72

>                 <*>   address type match support

73

>                 <*>   Packet filtering

74

>                 <*>     REJECT target support

75

>                 <*>   LOG target support

76

>                 < >   ULOG target support

77

>                 < >   Full NAT

78

>                 < >   Packet mangling

79

>                 < >   raw table support (required for NOTRACK/TRACE)

80

>                 < > ARP tables support

81

>

82

>

83

>

84

> --

85

> Walter Dnes <waltdnes@××××××××.org> In linux /sbin/init is Job #1

86

> Q. Mr. Ghandi, what do you think of Microsoft security?

87

> A. I think it would be a good idea.

88

>

89

> --

90

> gentoo-user@g.o mailing list

91

>

92

>

93

--

94

gentoo-user@g.o mailing list

Gentoo Archives: gentoo-user

Replies

1	I don't see what the big deal is - you are choosing to do everything
2	manually by running gentoo and compiling your own kernel. If you don't
3	like having to learn things like this why not use Ubuntu or Fedora?
4
5	On Nov 12, 2007 8:35 PM, Walter Dnes <waltdnes@××××××××.org> wrote:
6	> On Sat, Nov 10, 2007 at 10:53:52AM -0600, Michael Sullivan wrote
7	> > On Sat, 2007-11-10 at 15:40 +0200, Daniel Iliev wrote:
8	> > >
9	> > > I believe your problem comes from:
10	> > >
11	> > > # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set
12	> > >
13	> > > Build this module and try again.
14	> > >
15	> > This option isn't even available in my config. Should I add it? Will
16	> > it work with the kernel I'm running (2.6.22-hardened-r8)
17	>
18	> I'm beginning to long for the good ole days of ipchains. Is it still
19	> maintained? iptables has been scattered all over hell's-half-acre, and
20	> you need to run around enabling things all over the place to make it
21	> work. Here are some things enabled in my setup via "make menuconfig".
22	> Note that this is just for filtering out the bad guys. I do not do any
23	> masq/nat/mangling/etc with iptables. IMPORTANT NOTE you MUST enable
24	> the item... "IPv4 connection tracking support (required for NAT)" in
25	> order for state matching to work. I found this out "the hard way".
26	>
27	> Networking --->
28	> [*] Networking support
29	> Networking options --->
30	> [*] Network packet filtering framework (Netfilter) --->
31	> Core Netfilter Configuration --->
32	> <*> Netfilter connection tracking support
33	> --- Netfilter Xtables support (required for ip_tables)
34	> <*> "CLASSIFY" target support
35	> <*> "MARK" target support
36	> <*> "NFQUEUE" target Support
37	> < > "NFLOG" target support
38	> < > "TCPMSS" target support
39	> <*> "comment" match support
40	> < > "connbytes" per-connection counter match support
41	> < > "connmark" connection mark match support
42	> < > "conntrack" connection tracking match support
43	> <*> "DCCP" protocol match support
44	> < > "DSCP" match support
45	> < > "ESP" match support
46	> < > "helper" match support
47	> <*> "length" match support
48	> <*> "limit" match support
49	> <*> "mac" address match support
50	> <*> "mark" match support
51	> <*> Multiple port match support
52	> <*> "pkttype" packet type match support
53	> < > "quota" match support
54	> <*> "realm" match support
55	> <*> "sctp" protocol match support (EXPERIMENTAL)
56	> <*> "state" match support
57	> < > "statistic" match support
58	> <*> "string" match support
59	>
60	> IP: Netfilter Configuration --->
61	> <*> IPv4 connection tracking support (required for NAT)
62	> [*] proc/sysctl compatibility with old connection tracking
63	> < > IP Userspace queueing via NETLINK (OBSOLETE)
64	> <*> IP tables support (required for filtering/masq/NAT)
65	> <*> IP range match support
66	> <*> TOS match support
67	> <*> recent match support
68	> < > ECN match support
69	> < > AH match support
70	> <*> TTL match support
71	> <*> Owner match support
72	> <*> address type match support
73	> <*> Packet filtering
74	> <*> REJECT target support
75	> <*> LOG target support
76	> < > ULOG target support
77	> < > Full NAT
78	> < > Packet mangling
79	> < > raw table support (required for NOTRACK/TRACE)
80	> < > ARP tables support
81	>
82	>
83	>
84	> --
85	> Walter Dnes <waltdnes@××××××××.org> In linux /sbin/init is Job #1
86	> Q. Mr. Ghandi, what do you think of Microsoft security?
87	> A. I think it would be a good idea.
88	>
89	> --
90	> gentoo-user@g.o mailing list
91	>
92	>
93	--
94	gentoo-user@g.o mailing list