# Iptables modules hell

## alkalinelito

I setted up a box, acting just as a gateway

In kernel configuration i selected the netfilter stuff everything as modules

All the clients are windows,

Evrything is working, but now i need to get to work file transerf over IM's like msn , yahoo, etc Neetmeeting .

so i go to /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter

and i have a WHOLE bunch of modules , i know the h323 ones are for netmeeting and stuff, but i dont really know exactly wich one does,

so i loaded them all ( nasty ) . Now everythign is working ( of course ! ha ) , but i would like to make this clean, and know exactly wich modules to load , and what each one does, Where i can find documentation on this ? 

well, thanks

funny

```

root@puntocom netfilter # lsmod

Module                  Size  Used by    Tainted: P

iptable_mangle          2136   0  (unused)

iptable_filter          1740   0  (unused)

ipt_recent              8824   0  (unused)

ipt_length               472   0  (unused)

ipt_iprange              632   0  (unused)

ipt_esp                  600   0  (unused)

ipt_fuzzy               1208   0  (unused)

ipt_ecn                  824   0  (unused)

ipt_dscp                 472   0  (unused)

ipt_conntrack           1176   0  (unused)

ipt_connmark             536   0  (unused)

ipt_connlimit           1880   0  (unused)

ipt_condition           1560   0  (unused)

ipt_TOS                 1016   0  (unused)

ipt_TARPIT              2456   0  (unused)

ipt_SAME                 984   0  (unused)

ipt_ROUTE               2424   0  (unused)

ipt_REJECT              3192   0  (unused)

ipt_REDIRECT             792   0  (unused)

ipt_NETMAP               760   0  (unused)

ipt_NETLINK             1436   0  (unused)

ipt_IPV4OPTSSTRIP       1080   0  (unused)

ipt_IMQ                  792   0  (unused)

ipt_ECN                 1784   0  (unused)

ipt_DSCP                1048   0  (unused)

ipt_CLASSIFY             856   0  (unused)

ip_nat_proto_gre        1444   0  (unused)

ip_nat_pptp             2508   0  (unused)

ip_nat_irc              3120   0  (unused)

ip_nat_h323             3564   0  (unused)

ip_nat_cuseeme          2736   0  (unused)

ip_conntrack_tftp       2064   0  (unused)

ip_conntrack_talk       3936   0  (unused)

ip_conntrack_rsh        2560   0  (unused)

ip_conntrack_rpc_udp    5632   0  (unused)

ip_conntrack_rpc_tcp    5728   0  (unused)

ip_conntrack_pptp       3088   1  [ip_nat_pptp]

ip_conntrack_proto_gre    4660   0  [ip_nat_pptp ip_conntrack_pptp]

ip_conntrack_irc        3568   1  [ip_nat_irc]

ip_conntrack_h323       3888   1  [ip_nat_h323]

ipt_MASQUERADE          1976   1  (autoclean)

iptable_nat            24760   6  (autoclean) [ipt_SAME ipt_REDIRECT ipt_NETMAP ip_nat_proto_gre ip_nat_pptp ip_nat_irc ip_nat_h323 ip_nat_cuseeme ipt_MASQUERADE]

```

----------

## wolf31o2

The simplest way is to not load any modules for iptables, and to let iptables load them itself when you call them in your scripts.

----------

## alkalinelito

But im not an iptables guru

all im doing is ( i created an exucatble file in /etc/init.d/file , and added to the the default run level

```

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

```

I'm starting to read about more iptables,

but i would really like to set up a nice firewall

to internal lan is 192.168.x.x and the getoo box is 192.168.0.1 with 2 nics, one that goes to the internal lan , and the other to adsl

How can i tell iptables to load the modules that needs ?

 :Question:   :Sad: 

----------

## ferringb

 *alkalinelito wrote:*   

> But im not an iptables guru
> 
> all im doing is ( i created an exucatble file in /etc/init.d/file , and added to the the default run level
> 
> ...snip...
> ...

 

Like Wolf31o2 said,  *Wolf31o2 wrote:*   

> The simplest way is to not load any modules for iptables, and to let iptables load them itself when you call them in your scripts.

 

Explaining it a bit further, say all you have loaded is ip_tables, and your script tells iptables to create ruleset that uses connection tracking- the kernel/modules daemon will load the module if it is needed/not present.  You don't have to modprobe all the modules yourself, just let iptables handle it.

----------

## alkalinelito

But check the code i use for iptables

if i dont modprobe the h323 modules

Neetmeeting will not work

 :Crying or Very sad: 

----------

## ferringb

 *alkalinelito wrote:*   

> But check the code i use for iptables
> 
> if i dont modprobe the h323 modules
> 
> Neetmeeting will not work

 

As far as I know, connection tracking (conntrack) modules would be an exemption in terms of iptables loading the modules that it needs, although I believe to actually use them you have to specify a specific rule that uses them... not sure though.

So just to be safe, we say needed connection tracking modules must be insmodded. Ohk, not an issue.  In your script modprobe the specific protocol fixes you need (h323 as you said), and let iptables handle the rest.

----------

## alkalinelito

Can anyone help me in making a good script ?

i know i need some rules, to make secure the box

well im still reading iptables tutorias ,

but i really know that script is really in-secure

----------

## alkalinelito

but anyway, that thing about a firewall script doesnt matter

but anyway the problem is still there, i dont know wich modules to load so i can get file transfer / video / audio  to work . 

so many modules , no explanation about what each does ,

like topic says iptables modules hell

 :Confused:   :Confused:   :Confused:   :Confused:   :Confused:   :Confused:   :Confused:   :Confused:   :Confused:   :Confused:   :Confused:   :Confused:   :Confused:   :Confused:   :Confused:   :Confused: 

----------

## fatcat.00

"emerge firestarter" and let it generate a script for you.  If contains all the modules to load and explains what each one does.

Firestarter is a great way to get started with iptables.

----------

## alkalinelito

heheheh, no X 

thanks anyway.

but the issue is not the firewall script .

is to know what each module does, and know what to load , to get file transfer , audio, video working  ,

----------

## fatcat.00

Right, well the script generated by Firestarter adds comments about what each thing does, which is why I suggested it.

But, as you have no X...I suggest using one of the many firewall scripts out there, some of which are pretty documented.  Try "monmotha" for example, http://monmotha.mplug.org/firewall/index.php

----------

## alkalinelito

thanks for all the answer trying/reading

 :Very Happy: 

----------

