| 1 |
On Sat, Nov 10, 2007 at 10:53:52AM -0600, Michael Sullivan wrote |
| 2 |
> On Sat, 2007-11-10 at 15:40 +0200, Daniel Iliev wrote: |
| 3 |
> > |
| 4 |
> > I believe your problem comes from: |
| 5 |
> > |
| 6 |
> > # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set |
| 7 |
> > |
| 8 |
> > Build this module and try again. |
| 9 |
> > |
| 10 |
> This option isn't even available in my config. Should I add it? Will |
| 11 |
> it work with the kernel I'm running (2.6.22-hardened-r8) |
| 12 |
|
| 13 |
I'm beginning to long for the good ole days of ipchains. Is it still |
| 14 |
maintained? iptables has been scattered all over hell's-half-acre, and |
| 15 |
you need to run around enabling things all over the place to make it |
| 16 |
work. Here are some things enabled in my setup via "make menuconfig". |
| 17 |
Note that this is just for filtering out the bad guys. I do not do any |
| 18 |
masq/nat/mangling/etc with iptables. *IMPORTANT NOTE* you *MUST* enable |
| 19 |
the item... "IPv4 connection tracking support (required for NAT)" in |
| 20 |
order for state matching to work. I found this out "the hard way". |
| 21 |
|
| 22 |
Networking ---> |
| 23 |
[*] Networking support |
| 24 |
Networking options ---> |
| 25 |
[*] Network packet filtering framework (Netfilter) ---> |
| 26 |
Core Netfilter Configuration ---> |
| 27 |
<*> Netfilter connection tracking support |
| 28 |
--- Netfilter Xtables support (required for ip_tables) |
| 29 |
<*> "CLASSIFY" target support |
| 30 |
<*> "MARK" target support |
| 31 |
<*> "NFQUEUE" target Support |
| 32 |
< > "NFLOG" target support |
| 33 |
< > "TCPMSS" target support |
| 34 |
<*> "comment" match support |
| 35 |
< > "connbytes" per-connection counter match support |
| 36 |
< > "connmark" connection mark match support |
| 37 |
< > "conntrack" connection tracking match support |
| 38 |
<*> "DCCP" protocol match support |
| 39 |
< > "DSCP" match support |
| 40 |
< > "ESP" match support |
| 41 |
< > "helper" match support |
| 42 |
<*> "length" match support |
| 43 |
<*> "limit" match support |
| 44 |
<*> "mac" address match support |
| 45 |
<*> "mark" match support |
| 46 |
<*> Multiple port match support |
| 47 |
<*> "pkttype" packet type match support |
| 48 |
< > "quota" match support |
| 49 |
<*> "realm" match support |
| 50 |
<*> "sctp" protocol match support (EXPERIMENTAL) |
| 51 |
<*> "state" match support |
| 52 |
< > "statistic" match support |
| 53 |
<*> "string" match support |
| 54 |
|
| 55 |
IP: Netfilter Configuration ---> |
| 56 |
<*> IPv4 connection tracking support (required for NAT) |
| 57 |
[*] proc/sysctl compatibility with old connection tracking |
| 58 |
< > IP Userspace queueing via NETLINK (OBSOLETE) |
| 59 |
<*> IP tables support (required for filtering/masq/NAT) |
| 60 |
<*> IP range match support |
| 61 |
<*> TOS match support |
| 62 |
<*> recent match support |
| 63 |
< > ECN match support |
| 64 |
< > AH match support |
| 65 |
<*> TTL match support |
| 66 |
<*> Owner match support |
| 67 |
<*> address type match support |
| 68 |
<*> Packet filtering |
| 69 |
<*> REJECT target support |
| 70 |
<*> LOG target support |
| 71 |
< > ULOG target support |
| 72 |
< > Full NAT |
| 73 |
< > Packet mangling |
| 74 |
< > raw table support (required for NOTRACK/TRACE) |
| 75 |
< > ARP tables support |
| 76 |
|
| 77 |
|
| 78 |
|
| 79 |
-- |
| 80 |
Walter Dnes <waltdnes@××××××××.org> In linux /sbin/init is Job #1 |
| 81 |
Q. Mr. Ghandi, what do you think of Microsoft security? |
| 82 |
A. I think it would be a good idea. |
| 83 |
-- |
| 84 |
gentoo-user@g.o mailing list |
Archives