Re: [gentoo-user] OT - Need help enabling iptables support in kernel - gentoo-user

From:	Michael Sullivan <michael@××××××××××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] OT - Need help enabling iptables support in kernel
Date:	Tue, 13 Nov 2007 13:10:30
Message-Id:	`1194958972.17205.90.camel@camille.espersunited.com`
In Reply to:	Re: [gentoo-user] OT - Need help enabling iptables support in kernel by Walter Dnes

1

On Mon, 2007-11-12 at 23:35 -0500, Walter Dnes wrote:

2

> On Sat, Nov 10, 2007 at 10:53:52AM -0600, Michael Sullivan wrote

3

> > On Sat, 2007-11-10 at 15:40 +0200, Daniel Iliev wrote:

4

> > >

5

> > > I believe your problem comes from:

6

> > >

7

> > >  # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set

8

> > >

9

> > > Build this module and try again.

10

> > >

11

> > This option isn't even available in my config.  Should I add it?  Will

12

> > it work with the kernel I'm running (2.6.22-hardened-r8)

13

>

14

>   I'm beginning to long for the good ole days of ipchains.  Is it still

15

> maintained?  iptables has been scattered all over hell's-half-acre, and

16

> you need to run around enabling things all over the place to make it

17

> work.  Here are some things enabled in my setup via "make menuconfig".

18

> Note that this is just for filtering out the bad guys.  I do not do any

19

> masq/nat/mangling/etc with iptables.  *IMPORTANT NOTE* you *MUST* enable

20

> the item...  "IPv4 connection tracking support (required for NAT)" in

21

> order for state matching to work.  I found this out "the hard way".

22

>

23

> Networking  --->

24

> [*] Networking support

25

>       Networking options  --->

26

>       [*] Network packet filtering framework (Netfilter)  --->

27

>             Core Netfilter Configuration  --->

28

>             <*> Netfilter connection tracking support

29

>             --- Netfilter Xtables support (required for ip_tables)

30

>                 <*>   "CLASSIFY" target support

31

>                 <*>   "MARK" target support

32

>                 <*>   "NFQUEUE" target Support

33

>                 < >   "NFLOG" target support

34

>                 < >   "TCPMSS" target support

35

>                 <*>   "comment" match support

36

>                 < >   "connbytes" per-connection counter match support

37

>                 < >   "connmark" connection mark match support

38

>                 < >   "conntrack" connection tracking match support

39

>                 <*>   "DCCP" protocol match support

40

>                 < >   "DSCP" match support

41

>                 < >   "ESP" match support

42

>                 < >   "helper" match support

43

>                 <*>   "length" match support

44

>                 <*>   "limit" match support

45

>                 <*>   "mac" address match support

46

>                 <*>   "mark" match support

47

>                 <*>   Multiple port match support

48

>                 <*>   "pkttype" packet type match support

49

>                 < >   "quota" match support

50

>                 <*>   "realm" match support

51

>                 <*>   "sctp" protocol match support (EXPERIMENTAL)

52

>                 <*>   "state" match support

53

>                 < >   "statistic" match support

54

>                 <*>   "string" match support

55

>

56

>             IP: Netfilter Configuration  --->

57

>                 <*> IPv4 connection tracking support (required for NAT)

58

>                 [*]   proc/sysctl compatibility with old connection tracking

59

>                 < > IP Userspace queueing via NETLINK (OBSOLETE)

60

>                 <*> IP tables support (required for filtering/masq/NAT)

61

>                 <*>   IP range match support

62

>                 <*>   TOS match support

63

>                 <*>   recent match support

64

>                 < >   ECN match support

65

>                 < >   AH match support

66

>                 <*>   TTL match support

67

>                 <*>   Owner match support

68

>                 <*>   address type match support

69

>                 <*>   Packet filtering

70

>                 <*>     REJECT target support

71

>                 <*>   LOG target support

72

>                 < >   ULOG target support

73

>                 < >   Full NAT

74

>                 < >   Packet mangling

75

>                 < >   raw table support (required for NOTRACK/TRACE)

76

>                 < > ARP tables support

77

>

78

>

79

>

80

> --

81

> Walter Dnes <waltdnes@××××××××.org> In linux /sbin/init is Job #1

82

> Q. Mr. Ghandi, what do you think of Microsoft security?

83

> A. I think it would be a good idea.

84

85

I agree, though ipchains was obsolete by the time I started using Linux.

86

Couldn't we have some package in portage that builds the necessary

87

modules for iptables, similar to the way I have to emerge ivtv every

88

time I boot with a new kernel so that my TV card will work?

89

90

--

91

gentoo-user@g.o mailing list

1	On Mon, 2007-11-12 at 23:35 -0500, Walter Dnes wrote:
2	> On Sat, Nov 10, 2007 at 10:53:52AM -0600, Michael Sullivan wrote
3	> > On Sat, 2007-11-10 at 15:40 +0200, Daniel Iliev wrote:
4	> > >
5	> > > I believe your problem comes from:
6	> > >
7	> > > # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set
8	> > >
9	> > > Build this module and try again.
10	> > >
11	> > This option isn't even available in my config. Should I add it? Will
12	> > it work with the kernel I'm running (2.6.22-hardened-r8)
13	>
14	> I'm beginning to long for the good ole days of ipchains. Is it still
15	> maintained? iptables has been scattered all over hell's-half-acre, and
16	> you need to run around enabling things all over the place to make it
17	> work. Here are some things enabled in my setup via "make menuconfig".
18	> Note that this is just for filtering out the bad guys. I do not do any
19	> masq/nat/mangling/etc with iptables. IMPORTANT NOTE you MUST enable
20	> the item... "IPv4 connection tracking support (required for NAT)" in
21	> order for state matching to work. I found this out "the hard way".
22	>
23	> Networking --->
24	> [*] Networking support
25	> Networking options --->
26	> [*] Network packet filtering framework (Netfilter) --->
27	> Core Netfilter Configuration --->
28	> <*> Netfilter connection tracking support
29	> --- Netfilter Xtables support (required for ip_tables)
30	> <*> "CLASSIFY" target support
31	> <*> "MARK" target support
32	> <*> "NFQUEUE" target Support
33	> < > "NFLOG" target support
34	> < > "TCPMSS" target support
35	> <*> "comment" match support
36	> < > "connbytes" per-connection counter match support
37	> < > "connmark" connection mark match support
38	> < > "conntrack" connection tracking match support
39	> <*> "DCCP" protocol match support
40	> < > "DSCP" match support
41	> < > "ESP" match support
42	> < > "helper" match support
43	> <*> "length" match support
44	> <*> "limit" match support
45	> <*> "mac" address match support
46	> <*> "mark" match support
47	> <*> Multiple port match support
48	> <*> "pkttype" packet type match support
49	> < > "quota" match support
50	> <*> "realm" match support
51	> <*> "sctp" protocol match support (EXPERIMENTAL)
52	> <*> "state" match support
53	> < > "statistic" match support
54	> <*> "string" match support
55	>
56	> IP: Netfilter Configuration --->
57	> <*> IPv4 connection tracking support (required for NAT)
58	> [*] proc/sysctl compatibility with old connection tracking
59	> < > IP Userspace queueing via NETLINK (OBSOLETE)
60	> <*> IP tables support (required for filtering/masq/NAT)
61	> <*> IP range match support
62	> <*> TOS match support
63	> <*> recent match support
64	> < > ECN match support
65	> < > AH match support
66	> <*> TTL match support
67	> <*> Owner match support
68	> <*> address type match support
69	> <*> Packet filtering
70	> <*> REJECT target support
71	> <*> LOG target support
72	> < > ULOG target support
73	> < > Full NAT
74	> < > Packet mangling
75	> < > raw table support (required for NOTRACK/TRACE)
76	> < > ARP tables support
77	>
78	>
79	>
80	> --
81	> Walter Dnes <waltdnes@××××××××.org> In linux /sbin/init is Job #1
82	> Q. Mr. Ghandi, what do you think of Microsoft security?
83	> A. I think it would be a good idea.
84
85	I agree, though ipchains was obsolete by the time I started using Linux.
86	Couldn't we have some package in portage that builds the necessary
87	modules for iptables, similar to the way I have to emerge ivtv every
88	time I boot with a new kernel so that my TV card will work?
89
90	--
91	gentoo-user@g.o mailing list

Gentoo Archives: gentoo-user