# Ip_tables module in 2.6.21 not loading [SOLVED]

## ufoq

Since yesterday I'm trying to get iptables in 2.6.21 to work. I've tried all the options in menuconfig, setting them to compile into kernel, make modules, and mixed.

Now situation is that when I try to modprobe ip_tables I receive:

FATAL: Error inserting ip_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/ipv4/netfilter/ip_tables.ko): Invalid module format

Here is my emerge --info :

```
Portage 2.1.2.9 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.5-r4, 2.6.21-gento                                                                                      o-r4 i686)

=================================================================

System uname: 2.6.21-gentoo-r4 i686 AMD Athlon(tm) XP 2500+

Gentoo Base System release 1.12.9

Timestamp of tree: Thu, 26 Jul 2007 06:20:01 +0000

dev-java/java-config: 1.2.11

dev-lang/python:     2.3.5-r2, 2.4.3-r1

dev-python/pycrypto: 2.0.1-r5

sys-apps/sandbox:    1.2.17

sys-devel/autoconf:  2.13, 2.61

sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1, 1.10

sys-devel/binutils:  2.17

sys-devel/gcc-config: 1.3.16

sys-devel/libtool:   1.5.23b

virtual/os-headers:  2.6.21

ACCEPT_KEYWORDS="x86"

AUTOCLEAN="yes"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-march=athlon-xp -O2 -fomit-frame-pointer"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/lib/fax /var/bind /var/spool/fax/etc"

CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php4/ext-active/ /et                                                                                      c/php/apache1-php5/ext-active/ /etc/php/apache2-php4/ext-active/ /etc/php/apache                                                                                      2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ /                                                                                      etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /                                                                                      etc/terminfo"

CXXFLAGS="-march=athlon-xp -O2 -fomit-frame-pointer"

DISTDIR="/usr/portage/distfiles"

FEATURES="distlocks metadata-transfer sandbox sfperms strict"

GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo http://                                                                                      linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ ftp://linux.rz.ruhr-uni-boch                                                                                      um.de/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://gentoo                                                                                      .zie.pg.gda.pl http://gentoo.po.opole.pl ftp://gentoo.po.opole.pl ftp://mirror.i                                                                                      cis.pcz.pl/gentoo/"

LINGUAS="pl"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress                                                                                       --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/di                                                                                      stfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"

USE="3dnow acl apache2 avi berkdb bitmap-fonts cli cracklib crypt cups dri dv en                                                                                      code fbcon fortran gd gdbm gpm iconv imap isdnlog libg++ maildir midi mmx mudfla                                                                                      p mysql ncurses nls nptl nptlonly openmp pam pcre perl pppd python qt readline r                                                                                      eflection samba session spl sse ssl tcpd truetype-fonts type1-fonts unicode user                                                                                      locales winbind x86 xorg xvid zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiix                                                                                      p-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801                                                                                       hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem y                                                                                      mfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug f                                                                                      ile hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate ro                                                                                      ute share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL                                                                                      ="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb n                                                                                      curses text" LINGUAS="pl" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix                                                                                       dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon r                                                                                      endition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l v                                                                                      esa vga via vmware voodoo"

Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTA                                                                                      GE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
```

Last edited by ufoq on Fri Jul 27, 2007 9:50 am; edited 1 time in total

----------

## Rob1n

Is there anything printed in dmesg about this?  The error messages from modprobe tend to be rather unhelpful.

----------

## ufoq

ip_tables: exports duplicate symbol ipt_do_table (owned by kernel)

----------

## Rob1n

Looks like you have iptables compiled into the kernel already.  What does "iptables -L" give you?

----------

## ufoq

 *Rob1n wrote:*   

> Looks like you have iptables compiled into the kernel already.  What does "iptables -L" give you?

 

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

This is without GShield running.

When it's loaded, i can't for example ping my internal network (Operation not permitted)....But i haven't changed anything in GShield configuration files.

----------

## Rob1n

Yep - it's built into the kernel so the module must be leftover from a previous build.  It may be worth removing the /lib/modules/2.6.21-gentoo-r4 directory and rerunning "make modules_install" from /usr/src/linux to clearup any other old modules.

----------

## ufoq

Hmm..

Gshield couple of seconds after starting is causing a Kernel Panic...

so I've typed in standard iptables example from Gentoo Handbook.

Now iptables -L gives me this:

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable

REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023

DROP       udp  --  anywhere             anywhere            udp dpts:0:1023

Chain FORWARD (policy DROP)

target     prot opt source               destination

/etc/host.conf: line 24: bad command `mdns off'

DROP       all  --  anywhere             192.168.35.0/24

ACCEPT     all  --  192.168.35.0/24      anywhere

ACCEPT     all  --  anywhere             192.168.35.0/24

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

But NAT doesn't work...

----------

## Rob1n

What's the output of "iptables -t nat -L -n -v"?

----------

## ufoq

 *Rob1n wrote:*   

> What's the output of "iptables -t nat -L -n -v"?

 

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 58 packets, 5226 bytes)

 pkts bytes target     prot opt in     out     source               destination 

   15   900 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0  

Chain OUTPUT (policy ACCEPT 73 packets, 6126 bytes)

 pkts bytes target     prot opt in     out     source               destination

----------

## Rob1n

Well that looks okay, so exactly where is it going wrong?  What are you trying to do using NAT that's failing?

----------

## ufoq

 *Rob1n wrote:*   

> Well that looks okay, so exactly where is it going wrong?  What are you trying to do using NAT that's failing?

 

Just standard internet access, as before upgrading that freaking kernel....

Traceroute's stop on the gateway...

This is my lsmod:

Module                  Size  Used by

ipt_MASQUERADE          2496  1

iptable_nat             6084  1

nf_nat                 15020  2 ipt_MASQUERADE,iptable_nat

nf_conntrack_ipv4      13580  2 iptable_nat

nf_conntrack           50776  4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4

nfnetlink               4888  3 nf_nat,nf_conntrack_ipv4,nf_conntrack

snd_seq_oss            28672  0

snd_seq_midi_event      6144  1 snd_seq_oss

snd_seq                45392  4 snd_seq_oss,snd_seq_midi_event

snd_seq_device          6476  2 snd_seq_oss,snd_seq

snd_pcm_oss            38688  0

snd_pcm                69192  1 snd_pcm_oss

snd_timer              18948  2 snd_seq,snd_pcm

snd_page_alloc          7432  1 snd_pcm

snd_mixer_oss          14016  1 snd_pcm_oss

snd                    43300  7 snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_pcm,snd_timer,snd_mixer_oss

i2c_nforce2             4672  0

i2c_core               17040  1 i2c_nforce2

----------

## Rob1n

Ah - okay, looks like there's a problem with your forward rules then.  What's the output of "iptables -L -n -v"?

----------

## ufoq

 *Rob1n wrote:*   

> Ah - okay, looks like there's a problem with your forward rules then.  What's the output of "iptables -L -n -v"?

 

Chain INPUT (policy ACCEPT 1007 packets, 75957 bytes)

 pkts bytes target     prot opt in     out     source               destination 

   64  5756 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   

 2041  243K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0   

   27  9112 REJECT     udp  --  !eth1  *       0.0.0.0/0            0.0.0.0/0           udp dpt:67 reject-with icmp-port-unreachable

    0     0 REJECT     udp  --  !eth1  *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 reject-with icmp-port-unreachable

   31  2280 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22

    9   536 DROP       tcp  --  !eth1  *       0.0.0.0/0            0.0.0.0/0           tcp dpts:0:1023

  547 66374 DROP       udp  --  !eth1  *       0.0.0.0/0            0.0.0.0/0           udp dpts:0:1023

Chain FORWARD (policy DROP 910 packets, 44018 bytes)

 pkts bytes target     prot opt in     out     source               destination 

    0     0 DROP       all  --  eth1   *       0.0.0.0/0            192.168.35.0/24

 2823  142K ACCEPT     all  --  eth1   *       192.168.35.0/24      0.0.0.0/0   

    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            192.168.35.0/24

Chain OUTPUT (policy ACCEPT 2129 packets, 436K bytes)

 pkts bytes target     prot opt in     out     source               destination

----------

## Rob1n

It looks like you're missing the rules to accept responses to your outgoing traffic:

```

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

```

----------

## ufoq

Still doesn't work.......I have no clue what's wrong.

Included part of .config regarding Netfilter

```

#

# Core Netfilter Configuration

#

CONFIG_NETFILTER_NETLINK=m

CONFIG_NETFILTER_NETLINK_QUEUE=m

CONFIG_NETFILTER_NETLINK_LOG=m

CONFIG_NF_CONNTRACK_ENABLED=m

CONFIG_NF_CONNTRACK_SUPPORT=y

# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set

CONFIG_NF_CONNTRACK=m

CONFIG_NF_CT_ACCT=y

CONFIG_NF_CONNTRACK_MARK=y

CONFIG_NF_CONNTRACK_EVENTS=y

CONFIG_NF_CT_PROTO_GRE=m

# CONFIG_NF_CT_PROTO_SCTP is not set

CONFIG_NF_CONNTRACK_AMANDA=m

CONFIG_NF_CONNTRACK_FTP=m

# CONFIG_NF_CONNTRACK_H323 is not set

CONFIG_NF_CONNTRACK_IRC=m

# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set

CONFIG_NF_CONNTRACK_PPTP=m

# CONFIG_NF_CONNTRACK_SANE is not set

# CONFIG_NF_CONNTRACK_SIP is not set

CONFIG_NF_CONNTRACK_TFTP=m

# CONFIG_NF_CT_NETLINK is not set

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m

CONFIG_NETFILTER_XT_TARGET_CONNMARK=m

CONFIG_NETFILTER_XT_TARGET_DSCP=m

CONFIG_NETFILTER_XT_TARGET_MARK=m

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m

CONFIG_NETFILTER_XT_TARGET_NFLOG=m

CONFIG_NETFILTER_XT_TARGET_NOTRACK=m

CONFIG_NETFILTER_XT_TARGET_TCPMSS=m

CONFIG_NETFILTER_XT_MATCH_COMMENT=m

CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m

CONFIG_NETFILTER_XT_MATCH_CONNMARK=m

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

CONFIG_NETFILTER_XT_MATCH_DCCP=m

CONFIG_NETFILTER_XT_MATCH_DSCP=m

CONFIG_NETFILTER_XT_MATCH_ESP=m

CONFIG_NETFILTER_XT_MATCH_HELPER=m

CONFIG_NETFILTER_XT_MATCH_LENGTH=m

CONFIG_NETFILTER_XT_MATCH_LIMIT=m

CONFIG_NETFILTER_XT_MATCH_MAC=m

CONFIG_NETFILTER_XT_MATCH_MARK=m

CONFIG_NETFILTER_XT_MATCH_POLICY=m

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m

CONFIG_NETFILTER_XT_MATCH_QUOTA=m

CONFIG_NETFILTER_XT_MATCH_REALM=m

CONFIG_NETFILTER_XT_MATCH_SCTP=m

CONFIG_NETFILTER_XT_MATCH_STATE=m

CONFIG_NETFILTER_XT_MATCH_STATISTIC=m

CONFIG_NETFILTER_XT_MATCH_STRING=m

CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m

#

# IP: Netfilter Configuration

#

CONFIG_NF_CONNTRACK_IPV4=m

CONFIG_NF_CONNTRACK_PROC_COMPAT=y

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP_NF_MATCH_IPRANGE=m

CONFIG_IP_NF_MATCH_TOS=m

CONFIG_IP_NF_MATCH_RECENT=m

CONFIG_IP_NF_MATCH_ECN=m

CONFIG_IP_NF_MATCH_AH=m

CONFIG_IP_NF_MATCH_TTL=m

CONFIG_IP_NF_MATCH_OWNER=m

CONFIG_IP_NF_MATCH_ADDRTYPE=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_LOG=m

CONFIG_IP_NF_TARGET_ULOG=m

CONFIG_NF_NAT=m

CONFIG_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_TARGET_SAME=m

# CONFIG_NF_NAT_SNMP_BASIC is not set

CONFIG_NF_NAT_PROTO_GRE=m

CONFIG_NF_NAT_FTP=m

CONFIG_NF_NAT_IRC=m

CONFIG_NF_NAT_TFTP=m

CONFIG_NF_NAT_AMANDA=m

CONFIG_NF_NAT_PPTP=m

# CONFIG_NF_NAT_H323 is not set

# CONFIG_NF_NAT_SIP is not set

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_TARGET_TOS=m

CONFIG_IP_NF_TARGET_ECN=m

CONFIG_IP_NF_TARGET_TTL=m

# CONFIG_IP_NF_TARGET_CLUSTERIP is not set

CONFIG_IP_NF_RAW=m

CONFIG_IP_NF_ARPTABLES=m

CONFIG_IP_NF_ARPFILTER=m

CONFIG_IP_NF_ARP_MANGLE=m

```

----------

## Rob1n

Which modules are actually loaded?  Can you post the output of "lsmod"?

----------

## ufoq

Situation for now:

1. I've applied .config options suggested here:

http://groups.google.co.uk/group/linux.debian.user.french/browse_thread/thread/c80ebb160ff19406/f350d67409f80c10?lnk=st&q=iptables+2.6.21&rnum=5&hl=en#f350d67409f80c10

2. after 'make clean bzImage modules install modules_install', and rebooting, and trying to launch 'modprobe ip_tables' or 'modprobe x_tables' we have:

WARNING: Error inserting x_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/netfilter/x_tables.ko): Invalid module format

FATAL: Error inserting ip_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/ipv4/netfilter/ip_tables.ko): Invalid module format

Which give us details in dmesg:

x_tables: exports duplicate symbol xt_free_table_info (owned by kernel)

ip_tables: exports duplicate symbol ipt_do_table (owned by kernel)

And ip_tables won't load.

I have to mention, that I've updated the kernel from version 2.6.11, including new headers, new gcc and glibc.

Ah, and lsmod:

Module                  Size  Used by

ipt_MASQUERADE          2496  1

xt_state                1984  2

iptable_nat             6084  1

nf_nat                 15020  2 ipt_MASQUERADE,iptable_nat

nf_conntrack_ipv4      13324  4 iptable_nat

nf_conntrack           48648  5 ipt_MASQUERADE,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4

nfnetlink               4888  3 nf_nat,nf_conntrack_ipv4,nf_conntrack

snd_seq_oss            28672  0

snd_seq_midi_event      6144  1 snd_seq_oss

snd_seq                45392  4 snd_seq_oss,snd_seq_midi_event

snd_seq_device          6476  2 snd_seq_oss,snd_seq

snd_pcm_oss            38688  0

snd_pcm                69192  1 snd_pcm_oss

snd_timer              18948  2 snd_seq,snd_pcm

snd_page_alloc          7432  1 snd_pcm

snd_mixer_oss          14016  1 snd_pcm_oss

snd                    43300  7 snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_pcm,snd_timer,snd_mixer_oss

i2c_nforce2             4672  0

i2c_core               17040  1 i2c_nforce2

----------

## Rob1n

 *ufoq wrote:*   

> Situation for now:
> 
> 1. I've applied .config options suggested here:
> 
> http://groups.google.co.uk/group/linux.debian.user.french/browse_thread/thread/c80ebb160ff19406/f350d67409f80c10?lnk=st&q=iptables+2.6.21&rnum=5&hl=en#f350d67409f80c10
> ...

 

Okay - looks reasonable.

 *Quote:*   

> 
> 
> 2. after 'make clean bzImage modules install modules_install', and rebooting, and trying to launch 'modprobe ip_tables' or 'modprobe x_tables' we have:
> 
> WARNING: Error inserting x_tables (/lib/modules/2.6.21-gentoo-r4/kernel/net/netfilter/x_tables.ko): Invalid module format
> ...

 

These are both built-in to the kernel so won't load.  To clean up any redundant modules I'd suggest doing:

```

rm -rf /lib/modules/2.6.21-gentoo-r4

cd /usr/src/linux

make modules_install

```

The modules all look okay.  Can you post the iptables rules you're actually applying?

----------

## ufoq

 *Quote:*   

> 
> 
> These are both built-in to the kernel so won't load.  To clean up any redundant modules I'd suggest doing:
> 
> ```
> ...

 

I've done this couple of times. Did it now, with no effect.

 *Quote:*   

> 
> 
> The modules all look okay.  Can you post the iptables rules you're actually applying?

 

Sure:

```

iptables -F

iptables -t nat -F

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

export LAN=eth1

export WAN=eth0

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT

iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

#iptables -I FORWARD -i ${LAN} -d 192.168.35.0/255.255.255.0 -j DROP

iptables -A FORWARD -i ${LAN} -s 192.168.35.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.35.0/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

/etc/init.d/iptables save

/etc/init.d/iptables reload

```

----------

## Rob1n

 *ufoq wrote:*   

>  *Quote:*   
> 
> These are both built-in to the kernel so won't load.  To clean up any redundant modules I'd suggest doing:
> 
> ```
> ...

 

You shouldn't be able to "modprobe ip_tables" now - it should report that the module is not found.  If you're still getting the same error message as before then you're not actually running your new kernel - you need to check where your /boot/grub/grub.conf file is pointing.

The rules look okay to me.  All I can suggest is adding some logging rules to try to track down where things are going wrong:

```

iptables -F

iptables -t nat -F

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

export LAN=eth1

export WAN=eth0

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j LOG --log-prefix REJECT_BOOTPS

iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT

iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j LOG --log-prefix REJECT_DOMAIN

iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j LOG --log-prefix DROP_TCP

iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j LOG --log-prefix DROP_UDP

iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

#iptables -I FORWARD -i ${LAN} -d 192.168.35.0/255.255.255.0 -j LOG --log-prefix DROP_LAN

#iptables -I FORWARD -i ${LAN} -d 192.168.35.0/255.255.255.0 -j DROP

iptables -A FORWARD -i ${LAN} -s 192.168.35.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.35.0/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -j LOG --log DROP_FORWARD

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

/etc/init.d/iptables save

/etc/init.d/iptables reload

```

This should log all dropped/rejected packets to the system log.  This should at least make it clear which rule is causing the problem.

----------

## ufoq

Everything works now....

I don't know why, but I've had \boot folder on the main partition, to which I was installing kernel

After I saw no grub subfolder, I mounted \boot from real boot partition, installed kernel and voila...

I'm officially the most stupid person using Gentoo  :Wink: 

Rob1n - many thanx for your help, I owe you one.Last edited by ufoq on Fri Jul 27, 2007 9:42 am; edited 1 time in total

----------

## Rob1n

What are the results of "ls -l /boot" and "cat /boot/grub/grub.conf"?

----------

## ufoq

 *Rob1n wrote:*   

> What are the results of "ls -l /boot" and "cat /boot/grub/grub.conf"?

 

Already thought of it. It was the clue.

----------

## Rob1n

 *ufoq wrote:*   

> Everything works now....
> 
> I don't know why, but I've had \boot folder on the main partition, to which I was installing kernel
> 
> After I saw no grub subfolder, I mounted \boot from real boot partition, installed kernel and voila...
> ...

 

Hehe - don't worry, I've done the same thing myself many times (and forgotten to mount the /boot partition before emerging a grub update).

----------

