# ok - some serious help is needed.....

## *nixVirgin

please - if someone can save me from this going round in circles business....

i have a gentoo box - 2.4.20 r8

lsmod : 

Module                  Size  Used by    Tainted: GF

usb-storage            63640   0  (unused)

hid                    13940   0  (unused)

uhci                   25792   0  (unused)

usbcore                62848   1  [usb-storage hid uhci]

.config file

#

# Networking options

#

CONFIG_PACKET=y

# CONFIG_PACKET_MMAP is not set

# CONFIG_NETLINK_DEV is not set

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

CONFIG_FILTER=y

CONFIG_UNIX=y

CONFIG_INET=y

CONFIG_IP_MULTICAST=y

CONFIG_IP_ADVANCED_ROUTER=y

CONFIG_IP_MULTIPLE_TABLES=y

CONFIG_IP_ROUTE_FWMARK=y

CONFIG_IP_ROUTE_NAT=y

CONFIG_IP_ROUTE_MULTIPATH=y

CONFIG_IP_ROUTE_TOS=y

CONFIG_IP_ROUTE_VERBOSE=y

# CONFIG_IP_ROUTE_LARGE_TABLES is not set

# CONFIG_IP_PNP is not set

CONFIG_NET_IPIP=y

CONFIG_NET_IPGRE=y

# CONFIG_NET_IPGRE_BROADCAST is not set

# CONFIG_IP_MROUTE is not set

# CONFIG_ARPD is not set

CONFIG_INET_ECN=y

CONFIG_SYN_COOKIES=y

#

#   IP: Netfilter Configuration

#

CONFIG_IP_NF_CONNTRACK=m

CONFIG_IP_NF_FTP=m

CONFIG_IP_NF_AMANDA=m

CONFIG_IP_NF_TFTP=m

CONFIG_IP_NF_TALK=m

CONFIG_IP_NF_RSH=m

CONFIG_IP_NF_H323=m

CONFIG_IP_NF_EGG=m

CONFIG_IP_NF_CONNTRACK_MARK=y

CONFIG_IP_NF_IRC=m

CONFIG_IP_NF_QUAKE3=m

CONFIG_IP_NF_CT_PROTO_GRE=m

CONFIG_IP_NF_PPTP=m

CONFIG_IP_NF_MMS=m

CONFIG_IP_NF_CUSEEME=m

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP_NF_MATCH_RPC=m

CONFIG_IP_NF_MATCH_LIMIT=m

CONFIG_IP_NF_MATCH_QUOTA=m

CONFIG_IP_NF_POOL=m

CONFIG_IP_POOL_STATISTICS=y

CONFIG_IP_NF_MATCH_IPRANGE=m

CONFIG_IP_NF_MATCH_MAC=m

CONFIG_IP_NF_MATCH_PKTTYPE=m

CONFIG_IP_NF_MATCH_MARK=m

CONFIG_IP_NF_MATCH_MULTIPORT=m

CONFIG_IP_NF_MATCH_MPORT=m

CONFIG_IP_NF_MATCH_TOS=m

CONFIG_IP_NF_MATCH_RECENT=m

# CONFIG_IP_NF_MATCH_TIME is not set

CONFIG_IP_NF_MATCH_RANDOM=m

CONFIG_IP_NF_MATCH_PSD=m

CONFIG_IP_NF_MATCH_NTH=m

# CONFIG_IP_NF_MATCH_IPV4OPTIONS is not set

CONFIG_IP_NF_MATCH_FUZZY=m

CONFIG_IP_NF_MATCH_CONDITION=m

CONFIG_IP_NF_MATCH_ECN=m

CONFIG_IP_NF_MATCH_DSCP=m

CONFIG_IP_NF_MATCH_AH_ESP=m

CONFIG_IP_NF_MATCH_LENGTH=m

CONFIG_IP_NF_MATCH_TTL=m

CONFIG_IP_NF_MATCH_TCPMSS=m

CONFIG_IP_NF_MATCH_STEALTH=m

CONFIG_IP_NF_MATCH_REALM=m

CONFIG_IP_NF_MATCH_HELPER=m

CONFIG_IP_NF_MATCH_STATE=m

CONFIG_IP_NF_MATCH_CONNMARK=m

CONFIG_IP_NF_MATCH_CONNLIMIT=m

CONFIG_IP_NF_MATCH_CONNTRACK=m

# CONFIG_IP_NF_MATCH_UNCLEAN is not set

# CONFIG_IP_NF_MATCH_STRING is not set

# CONFIG_IP_NF_MATCH_OWNER is not set

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_NETLINK=m

CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP=m

# CONFIG_IP_NF_TARGET_MIRROR is not set

# CONFIG_IP_NF_TARGET_TARPIT is not set

CONFIG_IP_NF_NAT=m

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_NAT_AMANDA=m

CONFIG_IP_NF_NAT_TALK=m

CONFIG_IP_NF_NAT_H323=m

CONFIG_IP_NF_TARGET_SAME=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_NAT_LOCAL=y

# CONFIG_IP_NF_NAT_SNMP_BASIC is not set

CONFIG_IP_NF_NAT_IRC=m

CONFIG_IP_NF_NAT_QUAKE3=m

CONFIG_IP_NF_NAT_MMS=m

CONFIG_IP_NF_NAT_CUSEEME=m

CONFIG_IP_NF_NAT_FTP=m

CONFIG_IP_NF_NAT_TFTP=m

CONFIG_IP_NF_NAT_PPTP=m

CONFIG_IP_NF_NAT_PROTO_GRE=m

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_TARGET_TOS=m

CONFIG_IP_NF_TARGET_ECN=m

CONFIG_IP_NF_TARGET_DSCP=m

CONFIG_IP_NF_TARGET_MARK=m

CONFIG_IP_NF_TARGET_IMQ=m

# CONFIG_IP_NF_TARGET_CLASSIFY is not set

CONFIG_IP_NF_TARGET_LOG=m

CONFIG_IP_NF_TARGET_ROUTE=m

CONFIG_IP_NF_TARGET_CONNMARK=m

CONFIG_IP_NF_TARGET_TTL=m

CONFIG_IP_NF_TARGET_ULOG=m

CONFIG_IP_NF_TARGET_TCPMSS=m

CONFIG_IP_NF_ARPTABLES=m

CONFIG_IP_NF_ARPFILTER=m

CONFIG_IP_NF_COMPAT_IPCHAINS=m

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_COMPAT_IPFWADM=m

CONFIG_IP_NF_NAT_NEEDED=y

i have emerged iptables and fwbuilder etc etc and fwbuilder runs fine in kde.

fwbuilder script : 

#!/bin/sh -x

#

#  This is automatically generated file. DO NOT MODIFY !

#

#  Firewall Builder  fwb_ipt v1.0.11-1 

#

#  Generated Sun Nov 16 17:25:40 2003 UTC by root

#

#

#  

#

#

#

log() {

  test -x "$LOGGER" && $LOGGER -p info "$1"

}

va_num=1

add_addr() {

  addr=$1

  nm=$2

  dev=$3

  type=""

  aadd=""

  L=`$IP -4 link ls $dev | grep "$dev:"`

  if test -n "$L"; then

    OIFS=$IFS

    IFS=" /:,<"

    set $L

    type=$4

    IFS=$OIFS

    L=`$IP -4 addr ls $dev to $addr | grep " inet "`

    if test -n "$L"; then

      OIFS=$IFS

      IFS=" /"

      set $L

      aadd=$2

      IFS=$OIFS

    fi

  fi

  if test -z "$aadd"; then

    if test "$type" = "POINTOPOINT"; then

      $IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}

      va_num=`expr $va_num + 1`

    fi

    if test "$type" = "BROADCAST"; then

      $IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}

      va_num=`expr $va_num + 1`

    fi

  fi

}

getaddr() {

  dev=$1

  name=$2

  L=`$IP -4 addr show dev $dev | grep inet`

  test -z "$L" && { 

    eval "$name=''"

    return

  }

  OIFS=$IFS

  IFS=" /"

  set $L

  eval "$name=$2"

  IFS=$OIFS

}

getinterfaces() {

  NAME=$1

  $IP link show | grep -E "$NAME[^ ]*: "| while read L; do

    OIFS=$IFS

    IFS=" :"

    set $L

    IFS=$OIFS

    echo $2

  done

}

LSMOD="lsmod"

MODPROBE="modprobe"

IPTABLES="iptables"

IP="ip"

LOGGER="logger"

cd /etc || exit 1

log "Activating firewall script generated Sun Nov 16 17:25:40 2003 UTC by root"

INTERFACES="eth1 eth0 lo "

for i in $INTERFACES ; do

  $IP link show "$i" > /dev/null 2>&1 || {

    echo Interface $i does not exist

    exit 1

  }

done

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl

$IP -4 neigh flush dev eth1

$IP -4 addr flush dev eth1 label "eth1:FWB*"

$IP -4 neigh flush dev eth0

$IP -4 addr flush dev eth0 label "eth0:FWB*"

add_addr x.x.x.x 29 eth1

$IP link set eth1 up

add_addr 10.3.3.254 24 eth0

$IP link set eth0 up

add_addr 127.0.0.1 8 lo

$IP link set lo up

$IPTABLES -P OUTPUT  DROP

$IPTABLES -P INPUT   DROP

$IPTABLES -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do

  $IPTABLES -t $table -L -n | while read c chain rest; do

      if test "X$c" = "XChain" ; then

        $IPTABLES -t $table -F $chain

      fi

  done

  $IPTABLES -t $table -X

done

MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" 

MODULES=`(cd $MODULE_DIR; ls *_conntrack_*  *_nat_* | sed 's/\.o.*$//')`

for module in $(echo $MODULES); do 

  if $LSMOD | grep ${module} >/dev/null; then continue; fi

  if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then 

    $MODPROBE ${module} ||  exit 1 

  fi 

done

#

#  Rule 0(NAT)

# 

# 

$IPTABLES -t nat -A POSTROUTING -o eth1  -s 10.0.0.0/8 -j SNAT --to-source x.x.x.x 

#

#

$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# dropping TCP sessions opened prior firewall restart

#

$IPTABLES -A INPUT   -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A OUTPUT  -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

# 

# Rule 1(lo)

# 

# allow everything on loopback

# 

$IPTABLES -A INPUT  -i lo  -j ACCEPT 

$IPTABLES -A OUTPUT  -o lo  -j ACCEPT 

# 

# Rule 3(global)

# 

# ssh access to firewall

# 

$IPTABLES -A INPUT -p tcp  -s 10.0.0.0/8  -d x.x.x.x  --destination-port 22  -m state --state NEW  -j ACCEPT 

$IPTABLES -A INPUT -p tcp  -s 10.0.0.0/8  -d 10.3.3.254  --destination-port 22  -m state --state NEW  -j ACCEPT 

# 

# Rule 4(global)

# 

# firewall uses DNS server on Inet

# 

$IPTABLES -A OUTPUT -p tcp  -s x.x.x.x  --destination-port 53  -m state --state NEW  -j ACCEPT 

$IPTABLES -A OUTPUT -p tcp  -s 10.3.3.254  --destination-port 53  -m state --state NEW  -j ACCEPT 

$IPTABLES -A OUTPUT -p udp  -s x.x.x.x  --destination-port 53  -m state --state NEW  -j ACCEPT 

$IPTABLES -A OUTPUT -p udp  -s 10.3.3.254  --destination-port 53  -m state --state NEW  -j ACCEPT 

# 

# Rule 5(global)

# 

# 'masquerading' rule

# 

$IPTABLES -A INPUT  -s 10.0.0.0/8  -m state --state NEW  -j ACCEPT 

$IPTABLES -A OUTPUT  -s 10.0.0.0/8  -m state --state NEW  -j ACCEPT 

$IPTABLES -A FORWARD  -s 10.0.0.0/8  -m state --state NEW  -j ACCEPT 

# 

# Rule 6(global)

# 

# 'catch all' rule

# 

$IPTABLES -N RULE_6

$IPTABLES -A OUTPUT  -j RULE_6 

$IPTABLES -A INPUT  -j RULE_6 

$IPTABLES -A FORWARD  -j RULE_6 

$IPTABLES -A RULE_6  -j LOG  --log-level debug --log-prefix "RULE 6 -- DENY " 

$IPTABLES -A RULE_6  -j DROP 

#

#

echo 1 > /proc/sys/net/ipv4/ip_forward

the result is : 

kaluha fwbuilder # ./kaluha.fw

+ va_num=1

+ LSMOD=lsmod

+ MODPROBE=modprobe

+ IPTABLES=iptables

+ IP=ip

+ LOGGER=logger

+ cd /etc

+ log 'Activating firewall script generated Sun Nov 16 17:25:40 2003 UTC by root

'

+ test -x logger

+ INTERFACES=eth1 eth0 lo

+ ip link show eth1

+ ip link show eth0

+ ip link show lo

+ echo 0

+ echo 0

+ echo 30

+ echo 1800

+ ip -4 neigh flush dev eth1

+ ip -4 addr flush dev eth1 label 'eth1:FWB*'

Nothing to flush.

+ ip -4 neigh flush dev eth0

Nothing to flush.

+ ip -4 addr flush dev eth0 label 'eth0:FWB*'

Nothing to flush.

+ add_addr x.x.x.x 29 eth1

+ addr=x.x.x.x

+ nm=29

+ dev=eth1

+ type=

+ aadd=

++ ip -4 link ls eth1

++ grep eth1:

+ L=4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100

+ test -n '4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100'

+ OIFS=

+ IFS= /:,<

+ set 4 eth1 '' BROADCAST MULTICAST 'UP>' mtu 1500 qdisc pfifo_fast qlen 100

+ type=BROADCAST

+ IFS=

++ ip -4 addr ls eth1 to x.x.x.x

++ grep ' inet '

+ L=    inet x.x.x.x/29 brd x.x.x.x scope global eth1

+ test -n '    inet x.x.x.x/29 brd x.x.x.x scope global eth1'

+ OIFS=

+ IFS= /

+ set inet x.x.x.x 29 brd x.x.x.x scope global eth1

+ aadd=x.x.x.x

+ IFS=

+ test -z x.x.x.x

+ ip link set eth1 up

+ add_addr 10.3.3.254 24 eth0

+ addr=10.3.3.254

+ nm=24

+ dev=eth0

+ type=

+ aadd=

++ ip -4 link ls eth0

++ grep eth0:

+ L=3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100

+ test -n '3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100'

+ OIFS=

+ IFS= /:,<

+ set 3 eth0 '' BROADCAST MULTICAST 'UP>' mtu 1500 qdisc pfifo_fast qlen 100

+ type=BROADCAST

+ IFS=

++ ip -4 addr ls eth0 to 10.3.3.254

++ grep ' inet '

+ L=    inet 10.3.3.254/24 brd 10.255.255.255 scope global eth0

+ test -n '    inet 10.3.3.254/24 brd 10.255.255.255 scope global eth0'

+ OIFS=

+ IFS= /

+ set inet 10.3.3.254 24 brd 10.255.255.255 scope global eth0

+ aadd=10.3.3.254

+ IFS=

+ test -z 10.3.3.254

+ ip link set eth0 up

+ add_addr 127.0.0.1 8 lo

+ addr=127.0.0.1

+ nm=8

+ dev=lo

+ type=

+ aadd=

++ ip -4 link ls lo

++ grep lo:

+ L=1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue

+ test -n '1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue '

+ OIFS=

+ IFS= /:,<

+ set 1 lo '' LOOPBACK 'UP>' mtu 16436 qdisc noqueue

+ type=LOOPBACK

+ IFS=

++ ip -4 addr ls lo to 127.0.0.1

++ grep ' inet '

+ L=    inet 127.0.0.1/8 scope host lo

+ test -n '    inet 127.0.0.1/8 scope host lo'

+ OIFS=

+ IFS= /

+ set inet 127.0.0.1 8 scope host lo

+ aadd=127.0.0.1

+ IFS=

+ test -z 127.0.0.1

+ ip link set lo up

+ iptables -P OUTPUT DROP

+ iptables -P INPUT DROP

+ iptables -P FORWARD DROP

+ cat /proc/net/ip_tables_names

+ read table

+ iptables -t filter -L -n

+ read c chain rest

+ test XChain = XChain

+ iptables -t filter -F INPUT

+ read c chain rest

+ test Xtarget = XChain

+ read c chain rest

+ test X = XChain

+ read c chain rest

+ test XChain = XChain

+ iptables -t filter -F FORWARD

+ read c chain rest

+ test Xtarget = XChain

+ read c chain rest

+ test X = XChain

+ read c chain rest

+ test XChain = XChain

+ iptables -t filter -F OUTPUT

+ read c chain rest

+ test Xtarget = XChain

+ read c chain rest

+ iptables -t filter -X

+ read table

+ iptables -t nat -L -n

+ read c chain rest

+ test XChain = XChain

+ iptables -t nat -F PREROUTING

+ read c chain rest

+ test Xtarget = XChain

+ read c chain rest

+ test X = XChain

+ read c chain rest

+ test XChain = XChain

+ iptables -t nat -F POSTROUTING

+ read c chain rest

+ test Xtarget = XChain

+ read c chain rest

+ test X = XChain

+ read c chain rest

+ test XChain = XChain

+ iptables -t nat -F OUTPUT

+ read c chain rest

+ test Xtarget = XChain

+ read c chain rest

+ iptables -t nat -X

+ read table

++ uname -r

+ MODULE_DIR=/lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter/

++ cd /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter/

++ ls ip_conntrack_h323.o ip_conntrack_irc.o ip_conntrack_rpc_tcp.o ip_conntrack

_rpc_udp.o ip_nat_h323.o ip_nat_irc.o

++ sed 's/\.o.*$//'

+ MODULES=ip_conntrack_h323

ip_conntrack_irc

ip_conntrack_rpc_tcp

ip_conntrack_rpc_udp

ip_nat_h323

ip_nat_irc

++ echo ip_conntrack_h323 ip_conntrack_irc ip_conntrack_rpc_tcp ip_conntrack_rpc

_udp ip_nat_h323 ip_nat_irc

+ lsmod

+ grep ip_conntrack_h323

+ '[' -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_conntrack_h

323.o -o -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_conntrac

k_h323.o.gz ']'

+ modprobe ip_conntrack_h323

+ lsmod

+ grep ip_conntrack_irc

+ '[' -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_conntrack_i

rc.o -o -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_conntrack

_irc.o.gz ']'

+ modprobe ip_conntrack_irc

+ lsmod

+ grep ip_conntrack_rpc_tcp

+ '[' -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_conntrack_r

pc_tcp.o -o -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_connt

rack_rpc_tcp.o.gz ']'

+ modprobe ip_conntrack_rpc_tcp

+ lsmod

+ grep ip_conntrack_rpc_udp

+ '[' -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_conntrack_r

pc_udp.o -o -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_connt

rack_rpc_udp.o.gz ']'

+ modprobe ip_conntrack_rpc_udp

+ lsmod

+ grep ip_nat_h323

+ '[' -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_nat_h323.o

-o -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_nat_h323.o.gz

']'

+ modprobe ip_nat_h323

+ lsmod

+ grep ip_nat_irc

+ '[' -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_nat_irc.o -

o -e /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter//ip_nat_irc.o.gz ']

'

+ modprobe ip_nat_irc

+ iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/8 -j SNAT --to-source x.x.x.x

+ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -A INPUT -p tcp '!' --syn -m state --state NEW -j DROP

iptables: No chain/target/match by that name

+ iptables -A OUTPUT -p tcp '!' --syn -m state --state NEW -j DROP

iptables: No chain/target/match by that name

+ iptables -A FORWARD -p tcp '!' --syn -m state --state NEW -j DROP

iptables: No chain/target/match by that name

+ iptables -A INPUT -i lo -j ACCEPT

+ iptables -A OUTPUT -o lo -j ACCEPT

+ iptables -A INPUT -p tcp -s 10.0.0.0/8 -d x.x.x.x --destination-port 2

2 -m state --state NEW -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -A INPUT -p tcp -s 10.0.0.0/8 -d 10.3.3.254 --destination-port 22 -m

state --state NEW -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -A OUTPUT -p tcp -s x.x.x.x --destination-port 53 -m state --

state NEW -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -A OUTPUT -p tcp -s 10.3.3.254 --destination-port 53 -m state --state

 NEW -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -A OUTPUT -p udp -s x.x.x.x --destination-port 53 -m state --

state NEW -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -A OUTPUT -p udp -s 10.3.3.254 --destination-port 53 -m state --state

 NEW -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -A INPUT -s 10.0.0.0/8 -m state --state NEW -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -A OUTPUT -s 10.0.0.0/8 -m state --state NEW -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -A FORWARD -s 10.0.0.0/8 -m state --state NEW -j ACCEPT

iptables: No chain/target/match by that name

+ iptables -N RULE_6

+ iptables -A OUTPUT -j RULE_6

+ iptables -A INPUT -j RULE_6

+ iptables -A FORWARD -j RULE_6

+ iptables -A RULE_6 -j LOG --log-level debug --log-prefix 'RULE 6 -- DENY '

+ iptables -A RULE_6 -j DROP

+ echo 1

as you can see - the error i am getting is : 

iptables: No chain/target/match by that name

i have been trying to get this to work for a week now and am getting nowhere fast - i like the look and functionality of gentoo and fwbuilder - if someone can tell me how to get over this last problem - it would save me a lot of headache !!!

thanks in advance.

----------

## lamaditx

you think somebody is willing to read through this post?

----------

## Vlad

Yeah.  Troubleshooting all that is damn near impossible =/

I'm guessing you're trying to do firewall stuff, so here's my suggestion to you: use gShield instead.  There's an ebuild for it (emerge gshield) and it's highly customizable for both gateway/routers and normal machines, and I'm pretty sure it'll do everything you're trying to do.

----------

## Janne Pikkarainen

After running the script, does lsmod tell that both "ipt_state" and "ip_conntrack" modules are loaded? Both are needed for state match support.

----------

## *nixVirgin

i am not expecting anyone to read it line by line - but to take a quick look over it to see if there is something obvious that someone new to gentoo like me would have missed......

thanks for your coments anyway.....

----------

## *nixVirgin

after the script runs lsmod shows : 

kaluha fwbuilder # lsmod

Module                  Size  Used by    Tainted: GF

ipt_LOG                 3384   1  (autoclean)

ip_nat_irc              2992   0  (unused)

ip_nat_h323             3372   0  (unused)

ip_conntrack_rpc_udp    5344   0  (unused)

ip_conntrack_rpc_tcp    5440   0  (unused)

ip_conntrack_irc        3472   1  [ip_nat_irc]

ip_conntrack_h323       3632   1  [ip_nat_h323]

iptable_filter          1740   1  (autoclean)

usb-storage            63640   0  (unused)

hid                    13940   0  (unused)

uhci                   25792   0  (unused)

usbcore                62848   1  [usb-storage hid uhci]

what kernel option do i need to include to get ipt_state or whatever is required ????

ta in advance.

----------

## Janne Pikkarainen

Ok, that explains it. You seem to have a proper kernel configuration already, but the firewall script doesn't have lines which would do

```
modprobe ip_conntrack

modprobe ipt_state
```

Add those to your fw script and everything should work fine.

----------

## *nixVirgin

i was hoping that was gonna be the fix....

get error : 

modprobe: Can't locate module ip_conntrack

 and of course it dont load ipt_state either.....

content of : /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter/

ip_conntrack_h323.o     ipt_POOL.o              ipt_pool.o

ip_conntrack_irc.o      ipt_iprange.o           ipt_psd.o

ip_conntrack_rpc_tcp.o  ipt_limit.o             ipt_quota.o

ip_conntrack_rpc_udp.o  ipt_mac.o               ipt_random.o

ip_nat_h323.o           ipt_mark.o              ipt_recent.o

ip_nat_irc.o            ipt_mport.o             ipt_rpc.o

ip_pool.o               ipt_multiport.o         ipt_tos.o

ipt_LOG.o               ipt_nth.o               iptable_filter.o

ipt_NETMAP.o            ipt_pkttype.o

----------

## Janne Pikkarainen

Well, your kernel configuration file has both ipt_state and ip_conntrack enabled:

```
CONFIG_IP_NF_MATCH_CONNTRACK=m

CONFIG_IP_NF_MATCH_STATE=m 
```

... but the kernel module directory does not have them. Are you sure the kernel compilation phase (especially "make modules" and "make modules_install") went OK?

----------

## *nixVirgin

genkernel does make modules but it then ends and does not do a make_install....

it used to.....

is it worth compiling manually - if so - what are the commands i should use ?

----------

## Janne Pikkarainen

I'm used to compile kernel manually and don't have very much experience about genkernel. The kernel it produced for my friends new AMD desktop box was fine, though.

Should you want to try a manual compilation, it goes like this (for 2.4 kernels, anyway):

```
cd /usr/src/linux

make menuconfig (or make xconfig, if you want X interface)

make dep

make bzImage

make modules

make modules_install

cp arch/i386/boot/bzImage /boot/vmlinuz-yourkernel

cp System.map /boot/System.map-yourkernel

ln -s /boot/System.map-yourkernel /boot/System.map
```

And after that edit /boot/grub/grub.conf to reflect the changes.

----------

## *nixVirgin

thanks for that...

will try as soon as i get home - do you reckon then if i do it manually - it should compile in the stuff i need ?

thanks again.

----------

## Janne Pikkarainen

Yeah, your kernel config seems to be fine so it should work. Although "make modules" could stop to some error, because as far as I know, genkernel SHOULD install the kernel modules if everything is ok... if make modules fails, please copy&paste the error here.

----------

## *nixVirgin

cheers mate

you have been a real big help...

----------

## *nixVirgin

hi

re-compiled the kernel - it complained about needing something to do with QOS - i added what it wanted which was only like 3 things and it all went through fine....

rebooted - created a new fwbuilder script using just the basics to start and i now get this : 

kaluha fwbuilder # ./kaluha.fw

Nothing to flush.

Nothing to flush.

Nothing to flush.

Warning: loading /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter/ip_nat_talk.o will taint the kernel: no license

  See http://www.tux.org/lkml/#export-tainted for information about tainted modules

Module ip_nat_talk loaded, with warnings

iptables v1.2.8: can't initialize iptables table `drop': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

if i try a ping then i get this still : 

kaluha fwbuilder # ping 212.23.8.70

PING 212.23.8.70 (212.23.8.70) 56(84) bytes of data.

ping: sendmsg: Operation not permitted

ping: sendmsg: Operation not permitted

modules loaded are : 

kaluha fwbuilder # lsmod

Module                  Size  Used by    Tainted: P

ipt_LOG                 3384   1  (autoclean)

ipt_state                568  22  (autoclean)

ip_nat_tftp             2096   0  (unused)

ip_nat_talk             2360   0  (unused)

ip_nat_quake3           2184   0  (unused)

ip_nat_proto_gre        1444   0  (unused)

ip_nat_pptp             2060   0  (unused)

ip_nat_mms              3248   0  (unused)

ip_nat_irc              2640   0  (unused)

ip_nat_h323             2636   0  (unused)

ip_nat_ftp              3312   0  (unused)

ip_nat_cuseeme          2768   0  (unused)

ip_nat_amanda           1548   0  (unused)

iptable_nat            17784  13  [ip_nat_tftp ip_nat_talk ip_nat_quake3 ip_nat_proto_gre ip_nat_pptp ip_nat_mms ip_nat_irc ip_nat_h323 ip_nat_ftp ip_nat_cuseeme ip_nat_amanda]

ip_conntrack_tftp       2064   1

ip_conntrack_talk       2944   2

ip_conntrack_rsh        2368   1

ip_conntrack_rpc_udp    3616   0  (unused)

ip_conntrack_rpc_tcp    3712   0  (unused)

ip_conntrack_quake3     2376   1

ip_conntrack_pptp       2800   1

ip_conntrack_proto_gre    2932   0  [ip_nat_pptp ip_conntrack_pptp]

ip_conntrack_mms        3472   1

ip_conntrack_irc        3280   1

ip_conntrack_h323       2768   1

ip_conntrack_ftp        4368   0  (unused)

ip_conntrack_egg        2864   0  (unused)

ip_conntrack_amanda     2064   1

ip_conntrack           21000  17  [ipt_state ip_nat_tftp ip_nat_talk ip_nat_quake3 ip_nat_pptp ip_nat_mms ip_nat_irc ip_nat_h323 ip_nat_ftp ip_nat_amanda iptable_nat ip_conntrack_tftp ip_conntrack_talk ip_conntrack_rsh ip_conntrack_rpc_udp ip_conntrack_rpc_tcp ip_conntrack_quake3 ip_conntrack_pptp ip_conntrack_proto_gre ip_conntrack_mms ip_conntrack_irc ip_conntrack_h323 ip_conntrack_ftp ip_conntrack_egg ip_conntrack_amanda]

iptable_filter          1740   1  (autoclean)

ip_tables              12704   6  [ipt_LOG ipt_state iptable_nat iptable_filter]

usbcore                63072   1

kaluha fwbuilder #

any further pointers - i would be very greatful....

thanks in advance.

----------

## Janne Pikkarainen

```
Warning: loading /lib/modules/2.4.20-gentoo-r8/kernel/net/ipv4/netfilter/ip_nat_talk.o will taint the kernel: no license
```

You may remove this one from kernel configuration if you know you're not gonna need it.

```
iptables v1.2.8: can't initialize iptables table `drop': Table does not exist (do you need to insmod?)
```

Did you add some new lines to your firewall script? It seems that you have a line which ends "-j drop" instead of "-j DROP" - iptables is case-sensitive when it comes to chain names.

And the ping probably fails because your iptables firewall script doesn't allow you to send any icmp traffic. I didn't look at the script very carefully, but I would guess that

```
iptables -A OUTPUT -p icmp -j ACCEPT
```

would do the trick.

----------

## *nixVirgin

cheers mate - will give that a go...

thanks for all your help - you are a man page.....     :Wink: 

----------

