# Samba and Windows 7

## Tony0945

My network has two Gentoo computers, one dual boot Gentoo/XP and one new Win 7 computer. Win 7 sees the XP computer, sees the miniDLNA server on the one Gentoo box, sees all the smart TV's, Roku, and Amazon firestick but does not see SAMBA on any computer although XP does (and does not see the other devices).  I've researched on the web, mostly Ubuntu problems and found my SAMBA config should work. samba-3.6.25 is that version not supporting Win7?   

Anyone connecting to Windows 7?Last edited by Tony0945 on Sun Aug 13, 2017 12:07 am; edited 2 times in total

----------

## Fitzcarraldo

Yes, I have Windows 7 machines in my home network, which consists of a mix of machines running Linux (including Gentoo amd64 and ~amd64), Windows 7, Windows 10, Android, etc. SMB/Samba browsing works fine on all the machines. I use Samba 4, not Samba 3, on the Linux machines. For my home network I just use broadcast NetBIOS name resolution, which works fine if you have up to e.g. 15 Workgroup devices in the network. I allow any machine in the network to participate in Master Browser elections, and those elections also work fine. You can see examples of working smb.conf files and net-fs/samba USE flags in my blog post A correct method of configuring Samba for browsing SMB shares in a home network.

----------

## Tony0945

Thank you for your excellent site. I updated Samba on one box. I also changed the workgroup name on the XP computer from the default MsHome to workgroup and as you can see it is visible.

http://dpaste.com/3JHQ28Z  I did the same with the Win 7 computer and XP can see it and exchange files but as yet Win7 sees only the XP computer (Casti) and the Gentoo computers do not see the Win 7 computer.

----------

## Fitzcarraldo

I don't use Samba 3 as it's outdated, and I recommend you switch all your machines to Samba 4. If you don't want to move to Samba 4, I suppose you could try the following Windows 7 registry edit from a 2009 Microsoft Knowledge Article: Windows 7 and Samba 3 interoperability, but I don't know whether that is still valid or what impact it would have on the other shares.

----------

## Princess Nell

+1

Use testparm before and after to see which defaults have changed and update the config accordingly.

----------

## Tony0945

I will be moving the other box and use the samba.conf from the other machine as a template with only some name changes.

The problem with upgrading is that samba 4 is that wine requires samba with the winbind flag if samba is used, so I had to recompile wine with -samba which took FOREVER.

I'll follow up on your tip. I'm sure win 7 is the problem:

1. win7 can ping the XP box but neither gentoo box. Gives "no response"

2. the XP box can ping both gentoo boxes and the win7 box.

3. the gentoo boxes can ping everything

4. the gentoo boxes see each other's share and the XP share, but not the win 7 share.

5. the XP box sees all the shares, win 7 and gentoo.

6. the win 7 box sees only the XP share and can exchange files with it.

7. The win7 box sees the miniDLNA server on the gentoo box that has it. It works too.

8. The win7 box does not see the apache web site on the other gentoo box (really strange!). the XP box does and of course the gentoo boxes do also.

9. the win7 box also sees the amazon firestick, the (multiple) Samsung SmartTV's and the Roku. Everything EXCEPT Linux!

EDIT: I can also log in to the win7 box using rdesktop  from the gentoo boxes, works even better than with XP. Yet win7 won't admit that the gentoo box exists!

----------

## ct85711

One thing you may want to do, to help troubleshoot is turn off the firewall on your windows 7 machines; to help filter out the part of the firewall blocking the traffic.

Note:  I am not meaning to keep it disabled, but it's useful to have it off for a little bit to rule that out from affecting it.

If the windows 7 machines are separated by nat from the linux machines, that will also prevent the communication.

----------

## Fitzcarraldo

 *Tony0945 wrote:*   

> The problem with upgrading is that samba 4 is that wine requires samba with the winbind flag if samba is used, so I had to recompile wine with -samba which took FOREVER.

 

For a typical home network, WINS is not necessary (and so Winbind is not necessary), as Broadcast NetBIOS Name Resolution works fine. If you use Broadcast NetBIOS Name Resolution instead of WINS, Samba does not require the winbind USE flag to be set:

```
fitzcarraldo@clevow230ss ~ $ equery uses samba | grep winbind

-winbind
```

Therefore I wonder why the WINE ebuild insists on Winbind if WINE is built with USE="samba":

```
fitzcarraldo@clevow230ss ~ $ grep winbind /usr/portage/app-emulation/wine/wine-1.9.20.ebuild

        samba? ( >=net-fs/samba-3.0.25[winbind] )
```

Perhaps that is a mistake in the WINE ebuild. After all, the Samba ebuild mistakenly insists that Kerberos is installed even when Broadcast NetBIOS Name Resolution is being used, which is certainly unnecessary (Gentoo Bug No. 579088).

----------

## Tony0945

Duh!   Hit me on the head!  Messing with the Windows 7 firewall got me nowhere.  The problem was my iptables setup! I list every machine that can connect and drop the rest. This is to prevent unknown code on Roku, firestick or especially Samsung SmartTV's from gaining access.  I did not add the new computer's ip address to the ACCEPT list in iptables on either gentoo computer.  I modified my script accordingly, ran it, ran /etc/init.d/iptables save and all is well. I can now ping from Win 7 and access the samba shares.

I have updated the second machine to Samba 4. Many thanks to Fitzcarraldo for the scripts on his web page.

----------

## Fitzcarraldo

A bit of a 'necro post', but I though it would be useful to mention in case someone searches and finds this thread that, if you are using broadcast NetBIOS name resolution, the firewall in each Linux machine needs an extra rule in order for Samba commands (smbtree, smbclient, nmbclient etc.) to work properly.

For a purely iptables firewall:

```
iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
```

Users of UFW should add the following to the end of /etc/ufw/before.rules:

```
# The following is needed to enable Samba commands to

# work properly for broadcast NetBIOS name resolution

#

# raw table rules

*raw

:OUTPUT ACCEPT [0:0]

-F OUTPUT

-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

COMMIT
```

Ref. Prevent Linux firewalls interfering with Samba commands in a home network that uses broadcast NetBIOS name resolution

----------

## Tony0945

```
iptables v1.4.21: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.
```

----------

## Fitzcarraldo

 *Tony0945 wrote:*   

> 
> 
> ```
> iptables v1.4.21: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
> 
> ...

 

 *Fitzcarraldo's blog wrote:*   

> 
> 
> Kernel configuration
> 
> If you are using a binary-based distribution such as Ubuntu Linux, the kernel will probably have been configured to include the needed modules (CONFIG_IP_NF_RAW=m, CONFIG_IP6_NF_RAW=m and CONFIG_NETFILTER_XT_TARGET_CT=m), and the installation configured to load the modules automatically. However, if you are using a source-based distribution such as Gentoo Linux make sure the kernel configuration includes these three options before you build the kernel, and also add the module names ‘iptable_raw‘ and ‘xt_CT‘ to the module list in the file /etc/conf.d/modules as shown in the example below, so that the modules are loaded at boot:
> ...

 

----------

## Tony0945

Thank you again!

```
X3 /home/tony # zgrep CONFIG_IP_NF_RAW /proc/config.gz

# CONFIG_IP_NF_RAW is not set
```

Does this do more than "iptables -P OUTPUT ACCEPT" ?

----------

## Fitzcarraldo

 *Tony0945 wrote:*   

> Thank you again!
> 
> ```
> X3 /home/tony # zgrep CONFIG_IP_NF_RAW /proc/config.gz
> 
> ...

 

The rule you mention allows all outgoing traffic. It wouldn't solve the problem with broadcast NetBIOS name resolution.

In simple, two-way flows (conversations), a machine running IPTABLES handles responses to packets it sends using the ESTABLISHED / RELATED rule. However, unlike 'traditional' machine-to-machine two-way flows, Broadcast NetBIOS Name Resolution relies on broadcasts, i.e. the conversation is not two-way it is one-to-many. The machine that issues a NetBIOS broadcast may receive multiple unicast responses from multiple machines on the LAN.

The issue is accepting these incoming NetBIOS responses from the other machines. The initiating machine does not establish two-way flows with every other 'NetBIOS speaking' machine on the LAN and, therefore, does not have corresponding rules to process their responses.

The machine issuing a NetBIOS broadcast invokes the Connection Tracking netbios-ns helper in the OUTPUT chain of the 'raw' table to prepare the firewall to accept incoming responses to the broadcast it has just issued, thereby creating a dynamic, pre-established rule for the responses.

----------

## Tony0945

Thanks for the explanation. Samba is mostly working but sometimes is flaky. This may explain why.

This is a section of smb.conf on my file server. (note is from the default conf)

```
domain master = no

local master = yes

preferred master = yes

; os level = 6 on the other laptop, so I have made it 5 on this laptop.

os level = 5

name resolve order = bcast

wins support = no

dns proxy = no

```

And as on the client machine:

```
gentoo ~ #  zgrep CONFIG_IP_NF_RAW /proc/config.gz

# CONFIG_IP_NF_RAW is not set

```

 I'll correct the kernel config and firewall script and reboot.

----------

## Fitzcarraldo

The excerpt from smb.conf on your file server looks OK, and would work for Broadcast NetBIOS Name Resolution. I know I quoted a low 'os level' for my file server in my original blog post on SMB/Samba, and that does work (it just means there is a new Master Browser every time another machine with a higher os level connects to the network). However, if your file server is always-on (or nearly always) you could, if you want, have 'os level = 255' instead in the file server's smb.conf so that the file server is always the Master Browser (until you discconnect it or power it down, at which point a normal re-election for Master Browser would occur).

I'm not typing this on one of my two Gentoo-running laptops, but I'll boot one up in a few minutes and edit this post to list all the loaded iptables-related modules, just for information.

(By the way, a mixture of Windows versions connects to my network: the family desktop machine runs Windows 10, various family members have laptops running Windows 7 and Windows 10, and of course smartphones and tablets running Android and iOS, plus the occasional visitor with a MacBook running macOS. So this approach is not just for Windows 7, even if you are just using Windows 7 presently.)

----------

## Tony0945

Hmmm!  Modules are built and loaded.

But:

```
gentoo ~ # iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

iptables: No chain/target/match by that name.
```

The results of iptables -L:

```
gentoo ~ # iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

REJECT     tcp  --  anywhere             anywhere             tcp dpt:auth flags:FIN,SYN,RST,ACK/SYN reject-with tcp-reset

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     udp  --  anywhere             anywhere             udp spt:domain state RELATED,ESTABLISHED

ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8200

ACCEPT     udp  --  anywhere             anywhere             udp dpt:1900

ACCEPT     all  --  Casti.MsHome         anywhere

ACCEPT     all  --  Windoze.MsHome       anywhere

ACCEPT     all  --  www.tonysegredo.net  anywhere

ACCEPT     all  --  X3.MsHome            anywhere

ACCEPT     all  --  192.168.0.105        anywhere

ACCEPT     all  --  k6.MsHome            anywhere

ACCEPT     all  --  192.168.0.108        anywhere

ACCEPT     all  --  biostar-wired        anywhere

ACCEPT     all  --  biostar              anywhere

ACCEPT     all  --  router               all-systems.mcast.net

ACCEPT     all  --  router               255.255.255.255

DROP       all  --  anywhere             239.255.255.250

DROP       all  --  0.0.0.0              255.255.255.255

logdrop    all  --  anywhere             anywhere             ctstate NEW

Chain FORWARD (policy DROP)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Chain logdrop (1 references)

target     prot opt source               destination

LOG        all  --  anywhere             anywhere             LOG level warning prefix "DROP: "

DROP       all  --  anywhere             anywhere

```

That second rule doesn't look right.

lsmod output at https://paste.pound-python.org/show/TJizBBzy16umsonxknjU/

[Moderator edit: fixed url tag. -Hu]

----------

## Tony0945

 *Quote:*   

> [Moderator edit: fixed url tag. -Hu]

 

Thanks, Hu.  Do you think this thread should be maybe split?

----------

## Fitzcarraldo

Looks like you need to load the conntrack modules.

NAS running Ubuntu

(I have not rebuilt the Ubuntu kernel; this is the pre-canned version, i.e. everything enabled but the kitchen sink.)

These are the firewall-related modules actually loaded:

```
ip_tables                   CONFIG_IP_NF_IPTABLES=m

iptable_filter              CONFIG_IP_NF_FILTER=m

iptable_nat                 CONFIG_NF_NAT=m

iptable_raw                 CONFIG_IP_NF_RAW=m

multipath                   CONFIG_IP_ROUTE_MULTIPATH=m

nf_conntrack                CONFIG_NF_CONNTRACK=m

nf_conntrack_broadcast      CONFIG_NF_CONNTRACK_BROADCAST=m

nf_conntrack_ipv4           CONFIG_NF_CONNTRACK_IPV4=m

nf_conntrack_netbios_ns     CONFIG_NF_CONNTRACK_NETBIOS_NS=m

nf_defrag_ipv4              CONFIG_NF_DEFRAG_IPV4=m

nf_log_common               CONFIG_NF_LOG_COMMON=m

nf_log_ipv4                 CONFIG_NF_LOG_IPV4=m

nf_nat                      CONFIG_NF_NAT=m

nf_nat_ipv4                 CONFIG_NF_NAT_IPV4=m

x_tables                    CONFIG_NETFILTER_XTABLES=m

xt_CT                       CONFIG_NETFILTER_XT_TARGET_CT=m

xt_LOG                      CONFIG_NETFILTER_XT_TARGET_LOG=m

xt_conntrack                CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

xt_limit                    CONFIG_NETFILTER_XT_MATCH_LIMIT=m

xt_tcpudp                   CONFIG_NETFILTER_XTABLES=m
```

Here is the kernel configuration, firewall-wise:

```
$ grep CONFIG_IP_ /boot/config-4.2.0-27-generic | grep -v ^#                      

CONFIG_IP_MULTICAST=y

CONFIG_IP_ADVANCED_ROUTER=y

CONFIG_IP_FIB_TRIE_STATS=y

CONFIG_IP_MULTIPLE_TABLES=y

CONFIG_IP_ROUTE_MULTIPATH=y

CONFIG_IP_ROUTE_VERBOSE=y

CONFIG_IP_ROUTE_CLASSID=y

CONFIG_IP_PNP=y

CONFIG_IP_PNP_DHCP=y

CONFIG_IP_MROUTE=y

CONFIG_IP_PIMSM_V1=y

CONFIG_IP_PIMSM_V2=y

CONFIG_IP_SET=m

CONFIG_IP_SET_MAX=256

CONFIG_IP_SET_BITMAP_IP=m

CONFIG_IP_SET_BITMAP_IPMAC=m

CONFIG_IP_SET_BITMAP_PORT=m

CONFIG_IP_SET_HASH_IP=m

CONFIG_IP_SET_HASH_IPMARK=m

CONFIG_IP_SET_HASH_IPPORT=m

CONFIG_IP_SET_HASH_IPPORTIP=m

CONFIG_IP_SET_HASH_IPPORTNET=m

CONFIG_IP_SET_HASH_MAC=m

CONFIG_IP_SET_HASH_NETPORTNET=m

CONFIG_IP_SET_HASH_NET=m

CONFIG_IP_SET_HASH_NETNET=m

CONFIG_IP_SET_HASH_NETPORT=m

CONFIG_IP_SET_HASH_NETIFACE=m

CONFIG_IP_SET_LIST_SET=m

CONFIG_IP_VS=m

CONFIG_IP_VS_IPV6=y

CONFIG_IP_VS_TAB_BITS=12

CONFIG_IP_VS_PROTO_TCP=y

CONFIG_IP_VS_PROTO_UDP=y

CONFIG_IP_VS_PROTO_AH_ESP=y

CONFIG_IP_VS_PROTO_ESP=y

CONFIG_IP_VS_PROTO_AH=y

CONFIG_IP_VS_PROTO_SCTP=y

CONFIG_IP_VS_RR=m

CONFIG_IP_VS_WRR=m

CONFIG_IP_VS_LC=m

CONFIG_IP_VS_WLC=m

CONFIG_IP_VS_FO=m

CONFIG_IP_VS_LBLC=m

CONFIG_IP_VS_LBLCR=m

CONFIG_IP_VS_DH=m

CONFIG_IP_VS_SH=m

CONFIG_IP_VS_SED=m

CONFIG_IP_VS_NQ=m

CONFIG_IP_VS_SH_TAB_BITS=8

CONFIG_IP_VS_FTP=m

CONFIG_IP_VS_NFCT=y

CONFIG_IP_VS_PE_SIP=m

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP_NF_MATCH_AH=m

CONFIG_IP_NF_MATCH_ECN=m

CONFIG_IP_NF_MATCH_RPFILTER=m

CONFIG_IP_NF_MATCH_TTL=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_SYNPROXY=m

CONFIG_IP_NF_NAT=m

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_TARGET_CLUSTERIP=m

CONFIG_IP_NF_TARGET_ECN=m

CONFIG_IP_NF_TARGET_TTL=m

CONFIG_IP_NF_RAW=m

CONFIG_IP_NF_SECURITY=m

CONFIG_IP_NF_ARPTABLES=m

CONFIG_IP_NF_ARPFILTER=m

CONFIG_IP_NF_ARP_MANGLE=m

CONFIG_IP_DCCP=m

CONFIG_IP_SCTP=m

$ grep CONFIG_IP4 /boot/config-4.2.0-27-generic | grep -v ^# 

$ grep CONFIG_IP6 /boot/config-4.2.0-27-generic | grep -v ^# 

CONFIG_IP6_NF_IPTABLES=m

CONFIG_IP6_NF_MATCH_AH=m

CONFIG_IP6_NF_MATCH_EUI64=m

CONFIG_IP6_NF_MATCH_FRAG=m

CONFIG_IP6_NF_MATCH_OPTS=m

CONFIG_IP6_NF_MATCH_HL=m

CONFIG_IP6_NF_MATCH_IPV6HEADER=m

CONFIG_IP6_NF_MATCH_MH=m

CONFIG_IP6_NF_MATCH_RPFILTER=m

CONFIG_IP6_NF_MATCH_RT=m

CONFIG_IP6_NF_TARGET_HL=m

CONFIG_IP6_NF_FILTER=m

CONFIG_IP6_NF_TARGET_REJECT=m

CONFIG_IP6_NF_TARGET_SYNPROXY=m

CONFIG_IP6_NF_MANGLE=m

CONFIG_IP6_NF_RAW=m

CONFIG_IP6_NF_SECURITY=m

CONFIG_IP6_NF_NAT=m

CONFIG_IP6_NF_TARGET_MASQUERADE=m

CONFIG_IP6_NF_TARGET_NPT=m

$ grep CONFIG_NF_ /boot/config-4.2.0-27-generic | grep -v ^#   

CONFIG_NF_CONNTRACK=m

CONFIG_NF_LOG_COMMON=m

CONFIG_NF_CONNTRACK_MARK=y

CONFIG_NF_CONNTRACK_SECMARK=y

CONFIG_NF_CONNTRACK_ZONES=y

CONFIG_NF_CONNTRACK_EVENTS=y

CONFIG_NF_CONNTRACK_TIMEOUT=y

CONFIG_NF_CONNTRACK_TIMESTAMP=y

CONFIG_NF_CONNTRACK_LABELS=y

CONFIG_NF_CT_PROTO_DCCP=m

CONFIG_NF_CT_PROTO_GRE=m

CONFIG_NF_CT_PROTO_SCTP=m

CONFIG_NF_CT_PROTO_UDPLITE=m

CONFIG_NF_CONNTRACK_AMANDA=m

CONFIG_NF_CONNTRACK_FTP=m

CONFIG_NF_CONNTRACK_H323=m

CONFIG_NF_CONNTRACK_IRC=m

CONFIG_NF_CONNTRACK_BROADCAST=m

CONFIG_NF_CONNTRACK_NETBIOS_NS=m

CONFIG_NF_CONNTRACK_SNMP=m

CONFIG_NF_CONNTRACK_PPTP=m

CONFIG_NF_CONNTRACK_SANE=m

CONFIG_NF_CONNTRACK_SIP=m

CONFIG_NF_CONNTRACK_TFTP=m

CONFIG_NF_CT_NETLINK=m

CONFIG_NF_CT_NETLINK_TIMEOUT=m

CONFIG_NF_CT_NETLINK_HELPER=m

CONFIG_NF_NAT=m

CONFIG_NF_NAT_NEEDED=y

CONFIG_NF_NAT_PROTO_DCCP=m

CONFIG_NF_NAT_PROTO_UDPLITE=m

CONFIG_NF_NAT_PROTO_SCTP=m

CONFIG_NF_NAT_AMANDA=m

CONFIG_NF_NAT_FTP=m

CONFIG_NF_NAT_IRC=m

CONFIG_NF_NAT_SIP=m

CONFIG_NF_NAT_TFTP=m

CONFIG_NF_NAT_REDIRECT=m

CONFIG_NF_TABLES=m

CONFIG_NF_TABLES_INET=m

CONFIG_NF_TABLES_NETDEV=m

CONFIG_NF_DEFRAG_IPV4=m

CONFIG_NF_CONNTRACK_IPV4=m

CONFIG_NF_TABLES_IPV4=m

CONFIG_NF_TABLES_ARP=m

CONFIG_NF_LOG_ARP=m

CONFIG_NF_LOG_IPV4=m

CONFIG_NF_REJECT_IPV4=m

CONFIG_NF_NAT_IPV4=m

CONFIG_NF_NAT_MASQUERADE_IPV4=m

CONFIG_NF_NAT_SNMP_BASIC=m

CONFIG_NF_NAT_PROTO_GRE=m

CONFIG_NF_NAT_PPTP=m

CONFIG_NF_NAT_H323=m

CONFIG_NF_DEFRAG_IPV6=m

CONFIG_NF_CONNTRACK_IPV6=m

CONFIG_NF_TABLES_IPV6=m

CONFIG_NF_REJECT_IPV6=m

CONFIG_NF_LOG_IPV6=m

CONFIG_NF_NAT_IPV6=m

CONFIG_NF_NAT_MASQUERADE_IPV6=m

CONFIG_NF_TABLES_BRIDGE=m

CONFIG_NF_LOG_BRIDGE=m

$ grep CONFIG_NETFILTER /boot/config-4.2.0-27-generic | grep -v ^#          

CONFIG_NETFILTER=y

CONFIG_NETFILTER_ADVANCED=y

CONFIG_NETFILTER_INGRESS=y

CONFIG_NETFILTER_NETLINK=m

CONFIG_NETFILTER_NETLINK_ACCT=m

CONFIG_NETFILTER_NETLINK_QUEUE=m

CONFIG_NETFILTER_NETLINK_LOG=m

CONFIG_NETFILTER_NETLINK_QUEUE_CT=y

CONFIG_NETFILTER_SYNPROXY=m

CONFIG_NETFILTER_XTABLES=m

CONFIG_NETFILTER_XT_MARK=m

CONFIG_NETFILTER_XT_CONNMARK=m

CONFIG_NETFILTER_XT_SET=m

CONFIG_NETFILTER_XT_TARGET_AUDIT=m

CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m

CONFIG_NETFILTER_XT_TARGET_CONNMARK=m

CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m

CONFIG_NETFILTER_XT_TARGET_CT=m

CONFIG_NETFILTER_XT_TARGET_DSCP=m

CONFIG_NETFILTER_XT_TARGET_HL=m

CONFIG_NETFILTER_XT_TARGET_HMARK=m

CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m

CONFIG_NETFILTER_XT_TARGET_LED=m

CONFIG_NETFILTER_XT_TARGET_LOG=m

CONFIG_NETFILTER_XT_TARGET_MARK=m

CONFIG_NETFILTER_XT_NAT=m

CONFIG_NETFILTER_XT_TARGET_NETMAP=m

CONFIG_NETFILTER_XT_TARGET_NFLOG=m

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m

CONFIG_NETFILTER_XT_TARGET_RATEEST=m

CONFIG_NETFILTER_XT_TARGET_REDIRECT=m

CONFIG_NETFILTER_XT_TARGET_TEE=m

CONFIG_NETFILTER_XT_TARGET_TPROXY=m

CONFIG_NETFILTER_XT_TARGET_TRACE=m

CONFIG_NETFILTER_XT_TARGET_SECMARK=m

CONFIG_NETFILTER_XT_TARGET_TCPMSS=m

CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m

CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m

CONFIG_NETFILTER_XT_MATCH_BPF=m

CONFIG_NETFILTER_XT_MATCH_CGROUP=m

CONFIG_NETFILTER_XT_MATCH_CLUSTER=m

CONFIG_NETFILTER_XT_MATCH_COMMENT=m

CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m

CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m

CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m

CONFIG_NETFILTER_XT_MATCH_CONNMARK=m

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

CONFIG_NETFILTER_XT_MATCH_CPU=m

CONFIG_NETFILTER_XT_MATCH_DCCP=m

CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m

CONFIG_NETFILTER_XT_MATCH_DSCP=m

CONFIG_NETFILTER_XT_MATCH_ECN=m

CONFIG_NETFILTER_XT_MATCH_ESP=m

CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m

CONFIG_NETFILTER_XT_MATCH_HELPER=m

CONFIG_NETFILTER_XT_MATCH_HL=m

CONFIG_NETFILTER_XT_MATCH_IPCOMP=m

CONFIG_NETFILTER_XT_MATCH_IPRANGE=m

CONFIG_NETFILTER_XT_MATCH_IPVS=m

CONFIG_NETFILTER_XT_MATCH_L2TP=m

CONFIG_NETFILTER_XT_MATCH_LENGTH=m

CONFIG_NETFILTER_XT_MATCH_LIMIT=m

CONFIG_NETFILTER_XT_MATCH_MAC=m

CONFIG_NETFILTER_XT_MATCH_MARK=m

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m

CONFIG_NETFILTER_XT_MATCH_NFACCT=m

CONFIG_NETFILTER_XT_MATCH_OSF=m

CONFIG_NETFILTER_XT_MATCH_OWNER=m

CONFIG_NETFILTER_XT_MATCH_POLICY=m

CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m

CONFIG_NETFILTER_XT_MATCH_QUOTA=m

CONFIG_NETFILTER_XT_MATCH_RATEEST=m

CONFIG_NETFILTER_XT_MATCH_REALM=m

CONFIG_NETFILTER_XT_MATCH_RECENT=m

CONFIG_NETFILTER_XT_MATCH_SCTP=m

CONFIG_NETFILTER_XT_MATCH_SOCKET=m

CONFIG_NETFILTER_XT_MATCH_STATE=m

CONFIG_NETFILTER_XT_MATCH_STATISTIC=m

CONFIG_NETFILTER_XT_MATCH_STRING=m

CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

CONFIG_NETFILTER_XT_MATCH_TIME=m

CONFIG_NETFILTER_XT_MATCH_U32=m

$ grep CONFIG_XT /boot/config-4.2.0-27-generic | grep -v ^#

$
```

W230SS laptop running Gentoo

These are the firewall-related modules actually loaded:

```
ip6t_rt                     CONFIG_IP6_NF_MATCH_RT=m

iptable_raw                 CONFIG_IP_NF_RAW=m

nf_conntrack                CONFIG_NF_CONNTRACK=m

nf_conntrack_broadcast      CONFIG_NF_CONNTRACK_BROADCAST=m

nf_conntrack_ftp            CONFIG_NF_CONNTRACK_FTP=m

nf_conntrack_ipv4           CONFIG_NF_CONNTRACK_IPV4=m

nf_conntrack_ipv6           CONFIG_NF_CONNTRACK_IPV6=m

nf_conntrack_netbios_ns     CONFIG_NF_CONNTRACK_NETBIOS_NS=m

nf_defrag_ipv4              CONFIG_NF_DEFRAG_IPV4=m

nf_defrag_ipv6              CONFIG_NF_DEFRAG_IPV6=m

nf_log_common               CONFIG_NF_LOG_COMMON=m

nf_log_ipv4                 CONFIG_NF_LOG_IPV4=m

nf_log_ipv6                 CONFIG_NF_LOG_IPV6=m

nf_nat                      CONFIG_NF_NAT=m

nf_nat_ftp                  CONFIG_NF_NAT_FTP=m

xt_CT                       CONFIG_NETFILTER_XT_TARGET_CT=m

xt_LOG                      CONFIG_NETFILTER_XT_TARGET_LOG=m

xt_conntrack                CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
```

This is in the kernel configuration, but the module is not actually loaded (I should probably get around to adding it to the list in /etc/conf.d/modules):

```
CONFIG_NF_NAT_IPV4=m
```

In the NAS these are built as modules, but in the Clevo laptop I have built them into the kernel (for no special reason):

```
CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_ROUTE_MULTIPATH=y

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_MATCH_LIMIT=y
```

Here is the kernel configuration, firewall-wise:

```
$ grep CONFIG_IP_ /usr/src/linux/.config | grep -v ^#

CONFIG_IP_MULTICAST=y

CONFIG_IP_ADVANCED_ROUTER=y

CONFIG_IP_MULTIPLE_TABLES=y

CONFIG_IP_ROUTE_MULTIPATH=y

CONFIG_IP_ROUTE_VERBOSE=y

CONFIG_IP_PNP=y

CONFIG_IP_PNP_DHCP=y

CONFIG_IP_PNP_BOOTP=y

CONFIG_IP_PNP_RARP=y

CONFIG_IP_MROUTE=y

CONFIG_IP_PIMSM_V1=y

CONFIG_IP_PIMSM_V2=y

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_NAT=m

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_MANGLE=y

CONFIG_IP_NF_RAW=m

$ grep CONFIG_IP4 /usr/src/linux/.config | grep -v ^#  

$ grep CONFIG_IP6 /usr/src/linux/.config | grep -v ^# 

CONFIG_IP6_NF_IPTABLES=y

CONFIG_IP6_NF_MATCH_IPV6HEADER=y

CONFIG_IP6_NF_MATCH_RT=m

CONFIG_IP6_NF_TARGET_HL=m

CONFIG_IP6_NF_FILTER=y

CONFIG_IP6_NF_TARGET_REJECT=y

CONFIG_IP6_NF_MANGLE=y

CONFIG_IP6_NF_RAW=m

$ grep CONFIG_NF_ /usr/src/linux/.config | grep -v ^#   

CONFIG_NF_CONNTRACK=m

CONFIG_NF_LOG_COMMON=m

CONFIG_NF_CONNTRACK_SECMARK=y

CONFIG_NF_CONNTRACK_PROCFS=y

CONFIG_NF_CT_PROTO_GRE=m

CONFIG_NF_CONNTRACK_FTP=m

CONFIG_NF_CONNTRACK_BROADCAST=m

CONFIG_NF_CONNTRACK_NETBIOS_NS=m

CONFIG_NF_CONNTRACK_PPTP=m

CONFIG_NF_NAT=m

CONFIG_NF_NAT_NEEDED=y

CONFIG_NF_NAT_FTP=m

CONFIG_NF_DEFRAG_IPV4=m

CONFIG_NF_CONNTRACK_IPV4=m

CONFIG_NF_LOG_ARP=m

CONFIG_NF_LOG_IPV4=m

CONFIG_NF_REJECT_IPV4=y

CONFIG_NF_NAT_IPV4=m

CONFIG_NF_NAT_MASQUERADE_IPV4=m

CONFIG_NF_NAT_PROTO_GRE=m

CONFIG_NF_NAT_PPTP=m

CONFIG_NF_DEFRAG_IPV6=m

CONFIG_NF_CONNTRACK_IPV6=m

CONFIG_NF_REJECT_IPV6=y

CONFIG_NF_LOG_IPV6=m

$ grep CONFIG_NETFILTER /usr/src/linux/.config | grep -v ^#

CONFIG_NETFILTER=y

CONFIG_NETFILTER_ADVANCED=y

CONFIG_NETFILTER_NETLINK=y

CONFIG_NETFILTER_NETLINK_LOG=y

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_TARGET_CT=m

CONFIG_NETFILTER_XT_TARGET_HL=m

CONFIG_NETFILTER_XT_TARGET_LOG=m

CONFIG_NETFILTER_XT_NAT=m

CONFIG_NETFILTER_XT_TARGET_NFLOG=y

CONFIG_NETFILTER_XT_TARGET_TCPMSS=y

CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y

CONFIG_NETFILTER_XT_MATCH_COMMENT=y

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m

CONFIG_NETFILTER_XT_MATCH_HL=y

CONFIG_NETFILTER_XT_MATCH_LIMIT=y

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y

CONFIG_NETFILTER_XT_MATCH_POLICY=y

CONFIG_NETFILTER_XT_MATCH_RECENT=y

CONFIG_NETFILTER_XT_MATCH_STATE=m

$ grep CONFIG_XT /usr/src/linux/.config | grep -v ^#

$
```

----------

## Hu

 *Tony0945 wrote:*   

>  *Quote:*   [Moderator edit: fixed url tag. -Hu] 
> 
> Thanks, Hu.  Do you think this thread should be maybe split?

 From a quick scan of the posts, it looks like you're the only one reporting problems in this thread and all other posters are trying to help, so I'll defer to your preference on whether to keep it together or split it out.  (If we had several users requesting assistance in a single thread, that would argue strongly for splitting if the problems were not duplicate reports of a single issue, but since this thread is for your benefit, I leave it up to you.)  If you want it split, please suggest which posts need to be moved to a separate thread.

----------

## Tony0945

 *Hu wrote:*   

> [From a quick scan of the posts, it looks like you're the only one reporting problems in this thread and all other posters are trying to help, so I'll defer to your preference on whether to keep it together or split it out.  (If we had several users requesting assistance in a single thread, that would argue strongly for splitting if the problems were not duplicate reports of a single issue, but since this thread is for your benefit, I leave it up to you.)  If you want it split, please suggest which posts need to be moved to a separate thread.

 

I'll just edit out the "solved".

----------

