# iptables at square zero [fixed thanks]

## jesnow

After the demise of denyhosts, and having run an unprotected system for three years without knowing it, I'm trying to set up iptables so I can use fail2ban. I did 

```

/etc/init.d/iptables save

iptables           | * /etc/init.d/iptables uses runscript, please convert to openrc-run.

iptables           | * Saving iptables state ...                                                 [ ok ]

Merckx linux # /etc/init.d/iptables start

iptables           | * /etc/init.d/iptables uses runscript, please convert to openrc-run.

iptables           | * WARNING: iptables has already been started

Merckx linux # 

```

But I'm still stuck at square zero:

```

Merckx jesnow # iptables -F

iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

```

I have the stuff compiled in the kernel, and I rebooted, this was long ago:

```

Merckx linux # grep NETFILTER .config

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

CONFIG_NETFILTER_ADVANCED=y

# CONFIG_NETFILTER_INGRESS is not set

# CONFIG_NETFILTER_NETLINK_ACCT is not set

# CONFIG_NETFILTER_NETLINK_QUEUE is not set

# CONFIG_NETFILTER_NETLINK_LOG is not set

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_MARK=y

# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set

# CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set

# CONFIG_NETFILTER_XT_TARGET_HMARK is not set

# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set

# CONFIG_NETFILTER_XT_TARGET_LOG is not set

# CONFIG_NETFILTER_XT_TARGET_MARK is not set

# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set

# CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set

# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set

# CONFIG_NETFILTER_XT_TARGET_TEE is not set

# CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set

# CONFIG_NETFILTER_XT_MATCH_ADDRTYPE is not set

# CONFIG_NETFILTER_XT_MATCH_BPF is not set

# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set

# CONFIG_NETFILTER_XT_MATCH_COMMENT is not set

# CONFIG_NETFILTER_XT_MATCH_CPU is not set

# CONFIG_NETFILTER_XT_MATCH_DCCP is not set

# CONFIG_NETFILTER_XT_MATCH_DEVGROUP is not set

# CONFIG_NETFILTER_XT_MATCH_DSCP is not set

# CONFIG_NETFILTER_XT_MATCH_ECN is not set

# CONFIG_NETFILTER_XT_MATCH_ESP is not set

# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set

# CONFIG_NETFILTER_XT_MATCH_HL is not set

# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set

# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set

# CONFIG_NETFILTER_XT_MATCH_L2TP is not set

# CONFIG_NETFILTER_XT_MATCH_LENGTH is not set

# CONFIG_NETFILTER_XT_MATCH_LIMIT is not set

# CONFIG_NETFILTER_XT_MATCH_MAC is not set

# CONFIG_NETFILTER_XT_MATCH_MARK is not set

# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set

# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set

# CONFIG_NETFILTER_XT_MATCH_OWNER is not set

# CONFIG_NETFILTER_XT_MATCH_POLICY is not set

# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set

# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set

# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set

# CONFIG_NETFILTER_XT_MATCH_REALM is not set

# CONFIG_NETFILTER_XT_MATCH_RECENT is not set

# CONFIG_NETFILTER_XT_MATCH_SCTP is not set

# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set

# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set

# CONFIG_NETFILTER_XT_MATCH_STRING is not set

# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set

# CONFIG_NETFILTER_XT_MATCH_TIME is not set

# CONFIG_NETFILTER_XT_MATCH_U32 is not set

Merckx linux # 

```

I probably don't need any of the advanced stuff. The guides I've read don't seem to allow for this problem to ever occur or how to troubleshoot it. 

Any help gratefully accepted.

JonLast edited by jesnow on Wed May 31, 2017 12:19 am; edited 1 time in total

----------

## charles17

 *jesnow wrote:*   

> But I'm still stuck at square zero:
> 
> ```
> 
> Merckx jesnow # iptables -F
> ...

 

Compare with https://wiki.gentoo.org/wiki/Iptables#Client and check /var/lib/ip{,6}tables/rules-save.

----------

## szatox

It seems you _dont_ have your iptables modules compiled in. And if they are modules, they are not loaded.

Try this:

```
zgrep _NF_ /proc/config.gz
```

 I suppose you will get a long list of "# XXX is not set"

----------

## jesnow

 *szatox wrote:*   

> It seems you _dont_ have your iptables modules compiled in. And if they are modules, they are not loaded.
> 
> Try this:
> 
> ```
> ...

 

```

Merckx linux # zgrep _NF_ /proc/config.gz

# CONFIG_NF_CONNTRACK is not set

CONFIG_NF_LOG_COMMON=y

# CONFIG_NF_TABLES is not set

# CONFIG_NF_DEFRAG_IPV4 is not set

# CONFIG_NF_DUP_IPV4 is not set

# CONFIG_NF_LOG_ARP is not set

CONFIG_NF_LOG_IPV4=y

CONFIG_NF_REJECT_IPV4=y

CONFIG_IP_NF_IPTABLES=y

# CONFIG_IP_NF_MATCH_AH is not set

# CONFIG_IP_NF_MATCH_ECN is not set

# CONFIG_IP_NF_MATCH_TTL is not set

# CONFIG_IP_NF_FILTER is not set

# CONFIG_IP_NF_MANGLE is not set

# CONFIG_IP_NF_RAW is not set

# CONFIG_IP_NF_ARPTABLES is not set

# CONFIG_NF_DEFRAG_IPV6 is not set

# CONFIG_NF_DUP_IPV6 is not set

# CONFIG_NF_REJECT_IPV6 is not set

# CONFIG_NF_LOG_IPV6 is not set

# CONFIG_IP6_NF_IPTABLES is not set

Merckx linux # 

```

Which ones did I miss? Do I need all of them? This was not clear in any documentation I could find.

----------

## charles17

 *jesnow wrote:*   

> Which ones did I miss? Do I need all of them? This was not clear in any documentation I could find.

 You should need only those checkmarked in the wiki article mentioned before.

----------

## szatox

I never really bothered checking the actual mapping of variables to pieces of code, but this one looks like a reason for the failure you reported in your previous post.

```
# CONFIG_IP_NF_FILTER is not set
```

```
can't initialize iptables table `filter'
```

Rebuild kernel using menuconfig option, and walk through the networking related stuff again. You will find a bunch of options for iptables hidden 4 or 5 levels down the tree.

----------

## jesnow

Thank you! 

In fact it's often difficult with kernel parameters to match the instructions with the actual parameters, especially when you're not familiar with that part of the kernel name space. The order and descriptions of the parameters in menuconfig changes fairly often, and that's confusing. A straight up list of "these are the minimum kernel flags that must be set for the following use cases:" followed by the actual kernel flags would be extremely useful. Then a check such as you described with zgrep would be a lot easier to interpret. 

Cheers, 

Jon.

----------

## charles17

 *jesnow wrote:*   

> A straight up list of "these are the minimum kernel flags that must be set for the following use cases:" followed by the actual kernel flags would be extremely useful.

 

Feel free to add it to the wiki article.

----------

## NeddySeagoon

jesnow,

You can search the hidden CONFIG_ symbols in menuconfig  if you show them first. Press z, that's a toggle.

Now, / to search will search in hidden symbols too.

When you find one you need, go to it and read the help.  In particular, the Depends on:

The Depends on must evaluate to true to enable the symbol you want to be visible. 

Heres a trivial example, after pressing z

```

  │ │    < > Kernel .config support                                          │ │  

  │ │    - -   Enable access to .config through /proc/config.gz              │ │  
```

The - - symbol means forced off, It would be hidden but for the z mode.

The help says

```
  ┌───────────── Enable access to .config through /proc/config.gz ─────────────┐

  │ CONFIG_IKCONFIG_PROC:                                                      │  

  │                                                                            │  

  │ This option enables access to the kernel configuration file                │  

  │ through /proc/config.gz.                                                   │  

  │                                                                            │  

  │ Symbol: IKCONFIG_PROC [=n]                                                 │  

  │ Type  : boolean                                                            │  

  │ Prompt: Enable access to .config through /proc/config.gz                   │  

  │   Location:                                                                │  

  │     -> General setup                                                       │  

  │       -> Kernel .config support (IKCONFIG [=n])                            │  

  │   Defined at init/Kconfig:802                                              │  

  │   Depends on: IKCONFIG [=n] && PROC_FS [=y]  
```

IKCONFIG [=n] must be on to make Depends on true.

----------

## jesnow

Many thanks! 

iptables did indeed function correctly once I turned on the CONFIG_IP_NF_FILTER. 

Thanks for the advanced menuconfig -- I had just been using grep and vi, exactly

because I couldn't figure this out. 

Jon.

----------

