# need help with iptables

## chiatello

im a bit confused here

is iptables just the firewall?

or is it the NAT program as well?

------------------------------------------------------------------------------

ok well regardless of my previous post

i think i have the things more or less set up--- but im wondering

if eth0, is given a dhcp ip address from my cable modem

what should i do for my eth1? its what all the other computers are goign to be connected to

code: 

# /etc/dhcpd.conf

# (add your comments here)

default-lease-time 600;

max-lease-time 7200;

option subnet-mask 255.255.255.0;

option broadcast-address 192.168.0.255;

option routers 192.168.0.254;

option domain-name-servers 192.168.0.1, 192.168.0.2;

option domain-name "mydomain.org";

ddns-update-style ad-hoc;

subnet 192.168.0.0 netmask 255.255.255.0 {

   range 192.168.0.10 192.168.0.100;

   range 192.168.0.150 192.168.0.200;

}

http://tldp.org/HOWTO/IP-Masquerade....FIREWALL-2.4.X

and the config file for iptables is basically that default one, with just 1 change for the iptables binary location

original thread: http://www.ocforums.com/showthread.php?s=&threadid=259751

----------

## zhen

Its both  :Smile: 

iptables can pretty much do anything when it comes to packet ordering, routing, firewalling, NAT, etc. Think of iptables as the giant, very extendable, packet filter that it is.

Your dhcpcd.conf looks good, but I am not sure if you can have 2 ranges specified under the same subnet declaration.

If you want a very easy and secure iptables firewall solution, check out Projectfiles Firewall. I use this on all of my routers and servers and I have had absolutely no problems with it when it comes to configuration and security.

Have fun  :Smile: 

----------

## chiatello

what location is the iptables config file?

----------

## zhen

There really is not config file for iptables. iptables is a command that can be fed certain options and switches. For example:

```

iptables -A INPUT -p tcp -s 192.168.1.2 -j DROP

```

would drop all INCOMING tcp packets from 192.168.1.2. String this together with some other iptables commands, and you have yourself a firewall (like the Projectfiles Firewall).

For the easiest solution, get the Projectfiles Firewall and read the documentation on their website. It is an enterprise quality firewall script that is easy to setup. It is your best bet.

----------

## chiatello

ugh i was just reading this readme-- let me look at it

http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html

it says like firewalls-2.4 or something its a config file

----------

## chiatello

rc.firewall-2.4

http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-2.4.X

----------

## zhen

That is an excellent example of a bash script iptables firewall solution. The config part is just the setting up some simple script variables. If you read through the script, you will see where the variables are inputted into iptables commands.

----------

## chiatello

well since i got a similar s cript set up

how can i use that? (along with it rdunning at start-up)

instead of just inputing commands

----------

## zhen

The easiest way to have it run at startup would be to put it into /etc/conf.d/local.start.

----------

## chiatello

just put the script in the /etc/conf.d/local.start directory?

also what program controls the different runlevels // stages that programs are loaded during bootup

----------

## chiatello

when i execute the script it says 

```

gentoo iptables # ./iptables.sh

Loading simple rc.firewall version 0.75..

   External Interface:  eth0

   Internal Interface:  eth1

   loading modules:   - Verifying that all kernel modules are ok

----------------------------------------------------------------------

ip_tables, modprobe: Can't locate module ip_tables

ip_conntrack, modprobe: Can't locate module ip_conntrack

ip_conntrack_ftp, modprobe: Can't locate module ip_conntrack_ftp

ip_conntrack_irc, modprobe: Can't locate module ip_conntrack_irc

iptable_nat, modprobe: Can't locate module iptable_nat

ip_nat_ftp, modprobe: Can't locate module ip_nat_ftp

----------------------------------------------------------------------

   Done loading modules.

   Enabling forwarding..

   Enabling DynamicAddr..

   Clearing any existing rules and setting default policy..

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

   FWD: Allow all connections OUT and only existing and related ones IN

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

   Enabling SNAT (MASQUERADE) functionality on eth0

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

rc.firewall-2.4 v0.75 done.

```

now i put those modules in my kernel, i didnt compile them as modules

and when i  check to see if iptables is running it isnt

```

gentoo iptables # ps aux | grep iptables

root      4079  0.0  0.0  1432  372 pts/1    R    03:23   0:00 grep iptables

```

----------

## Oopsz

you need the iptables userspace tools in addition to the kernel functionality.  emerge iptables.

----------

## zhen

Yeah, you will need to compile your iptables stuff as modules. Also, iptables is not a daemon, it is simply a program that adds rules the the filter list. Check www.tldp.org for more documentation.

----------

## chiatello

so i cant just compile them into the kernel?>

i have to add them as modules?

----------

## Oopsz

i believe it should be fine compiled statically in the kernel, but you also need the userspace tools.  emerge iptables.

----------

## chiatello

well i already did that

and it still prints those out...

should i be fine then?

im afraid i cant test it out till next week-- which is when i NEED it to work

----------

## chiatello

bump

----------

## chiatello

anyone know?

even if i get those errors-- will it still work?

----------

## GhostBear

Make sure the necessary iptables stuff is in your kernel somewhere.  Modules or static, either works.  If you're using modules remember to MODPROBE them when your system boots.  (I only use static kernels, no modules -- so you'll have to search for how to autoload modules @ boot  :Wink:  ).  

It looks like you just cut/pasted that script.  Check to make sure the actual path to iptables is correct, just in case.

Once you've compiled and emerged, test that it's working OK.  Type iptables -L at the prompt.  It should spit back  INPUT (ACCEPT).... etc.  Then you can start adding chains.

----------

## chiatello

 *GhostBear wrote:*   

> Make sure the necessary iptables stuff is in your kernel somewhere.  Modules or static, either works.  If you're using modules remember to MODPROBE them when your system boots.  (I only use static kernels, no modules -- so you'll have to search for how to autoload modules @ boot  ).  
> 
> It looks like you just cut/pasted that script.  Check to make sure the actual path to iptables is correct, just in case.
> 
> Once you've compiled and emerged, test that it's working OK.  Type iptables -L at the prompt.  It should spit back  INPUT (ACCEPT).... etc.  Then you can start adding chains.

 

i did it static

and i edited the script for all the right binaries

when i type

iptables -L it prints back

```

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

```

----------

## Crg

 *chiatello wrote:*   

> 
> 
> iptables -L it prints back
> 
> ```
> ...

 

The kernel you are running doesn't have iptables either compiled in or as modules.

----------

## oguz286

And where can i find it in xconfig? I couldn't find it  :Sad: 

----------

## jaska

Use "make menuconfig" instead, it is much clearer then that xconfig.

----------

## cakes

A very good iptables firewall config program is Jay's Firewall - http://firewall-jay.sourceforge.net i think. If you read the documents on the site, it shows you a list of iptables options you need enabled in your kernel to have working iptables firewall/NAT   :Smile: 

----------

