# iptables, compiled into the kernel, fun for all :-(

## uberlinuxguy

I am presently trying to build a gentoo firewall.  I am building a monolithic kernel, so NO MODULES.  I've looked around and see mentions of the same problem I am having but no definite solution.  So here's the problem, maybe somebody can help.

System Info: 

Gentoo x86 1.4_rc2

Kernel: linux-2.4.19-xfs-r2, latest xfs-sources from emerge

option "Network packet filtering (replaces ipchains)" is turned on, compiled in not as module, and stuff under "IP: Netfilter Configuration  --->" is set up how I want it.  So I emerge in iptables on the running system.  I see the iptables in the kerenel initialize cuz in dmesg I see "ip_tables: (C) 2000-2002 Netfilter core team"  Now here's the fun part, so it initializes in the kernel but still I get 

iptables v1.2.7a: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

when I run /sbin/iptables -L.  So my question is, what am I missing?  What tiny little detail is eluding me? Do I have to compile it as a module?  I would like to avoid that if at all possible.....

Jason

----------

## rtn

Under Netfilter Configuration ---> turn on Packet Filtering.  It doesn't need to

be a module.

--rtn

----------

## ivorydawn

Hi,

I have the exact same problem, I have not yet managed to solve it but found this as a start.

http://iptables-tutorial.frozentux.net/chunkyhtml/commonproblems.html#MODULEPROBLEMS

Enjoy!

Andy

----------

## imadork

For what it's worth, I managed to compile a kernel with no modules for a firewall, and it works fine.

I used the Gentoo sources, 2.4.19-r7 .

----------

## grege

If it is of any use, I have it all loaded as modules and get the same error when I try to run Firestarter, sounds like a dependency problem

----------

## neilhwatson

I've always found kernel modules to be a pain.  Especially kernels provided by distributions.  I had the same problem you are having.  My solution was to download my own kernel source (from a kernel.org mirror) and download iptables.  Run the iptables patch-o-matic, build  a new kernel (iptables as modules), reboot to new kernel and install iptables.  My firewall works fine now.

----------

## shadov

I'm n00b with iptables.

What's patch-o-matic ?

I haven't got iptables working with 2.4.19-gentoo so I'm going to try with 2.4.20-vanilla tomorrow. Is there a list somewhere that tels what modules I need? I have found out that there are kinda lots of modules in iptables.

----------

## neilhwatson

When you download iptables you should also download the iptables patch-o-matic.  This is a script that you run that patches your kernel sources.  The iptables install documentation will explain all.

----------

## digitalnick

im havin similar problems with the gentoo .20-r1 sources tried first as modules but when i follow the masq howto and try the firewall script i get erros that it cant insmod the modules somethign about unresolved dependancies ... goin to try now as monolithic kernel. if still fails then will try patchomatic on the vanilla sources. ill postthe results

----------

## digitalnick

well i just got done recompiling the gentoo-sources 2.4.20-r1 monothilically (for iptables any way) rant the masq script from the howto and all the iptables stuff worked fine. in face i ran adsl-start moved a copule cables around changed the inside ip of the server and im routing through it right now  :Smile:  so all i have to do now is start locking down the firewall and figure out hwo to only allow connections from the inside from a list of approved mac addresses and a list of ip addresses (dont like my neighbors stealing my wireless access) if any one has any tips on that let me know

happy firewalling

----------

## Buzzz

 *digitalnick wrote:*   

> so all i have to do now is start locking down the firewall and figure out hwo to only allow connections from the inside from a list of approved mac addresses and a list of ip addresses (dont like my neighbors stealing my wireless access) if any one has any tips on that let me know
> 
> 

 

I would say, use a dhcp server that gives ip addresses based on mac addresses and only allow those ip addresses to initiate outgoing trafic.

----------

## neilhwatson

Also, I could not find anywhere in Gentoo's module start scripts the command depmod -a.  This command tells kerneld to calculate the module dependancies so that if you load a module using modprobe, kerneld loads any dependant modules automatically.  You may want to add that command.

----------

## rtn

 *neilhwatson wrote:*   

> Also, I could not find anywhere in Gentoo's module start scripts the command depmod -a.  This command tells kerneld to calculate the module dependancies so that if you load a module using modprobe, kerneld loads any dependant modules automatically.  You may want to add that command.

 

`depmod -a` is called from /sbin/modules-update, which is called from 

/etc/init.d/modules.

--rtn

----------

## digitalnick

 *Buzzz wrote:*   

> 
> 
> I would say, use a dhcp server that gives ip addresses based on mac addresses and only allow those ip addresses to initiate outgoing trafic.

 

yeah i was going to do that too but i also want to make sure no one sets a static ip while the dhcpd one is offline and cant get access like that. basically i want them to have to spoof the mac and set the appropriate ip for that mac to have access. as i doubt any of my neighbors could figure that out.

----------

