# [Network] Iptables noob problem

## dway

Hi,

I've searched the forum for my problem, I've found this thread, but that does not make the trick for me...

I just don't know iptables at all and i'm following the HOWTO about it on the Wiki. I've build all necessary options as modules :

```
Core Netfilter Configuration ---->

    [M] Netfilter Xtables support (required for ip_tables)

IP: Netfilter Configuration --->

    [M] IP tables support (required for filtering/masq/NAT)

    [M] Packet Filtering
```

Everything is loaded, lsmod gives :

```
Module                  Size  Used by

snd_seq                49616  0 

snd_seq_device          6796  1 snd_seq

snd_pcm_oss            49632  0 

snd_mixer_oss          17280  1 snd_pcm_oss

snd_intel8x0           30044  0 

snd_ac97_codec         94240  1 snd_intel8x0

snd_ac97_bus            1792  1 snd_ac97_codec

snd_pcm                81992  3 snd_pcm_oss,snd_intel8x0,snd_ac97_codec

snd_timer              21956  2 snd_seq,snd_pcm

snd                    47460  8 snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_intel8x0,snd_ac97_codec,snd_pcm,snd_timer

soundcore               7776  1 snd

snd_page_alloc          8520  2 snd_intel8x0,snd_pcm

nls_iso8859_1           3840  1 

nls_cp437               5440  1 

vfat                   11008  1 

fat                    49500  1 vfat

iptable_filter          2240  1 

ip_tables              11800  1 iptable_filter

x_tables                9988  1 ip_tables
```

And I was trying to begin with the standard set of rules given for noobs.

But when I do a iptables-restore iptables.new (my modified file), I get an error on the second rule (I try one by one) :

```
# accept all previously established connections

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
```

it says :

```
iptables-restore: line 13 failed
```

line 13 is the COMMIT line...

There's only the 2 first rule at this point.

Could you explain me why ?

By the way, I've the 'ipv6' USE flag set by default, so iptables has been emerged with the option activated, but I did not activate it in the kernel (I don't know what options to really activate...)

----------

## casso

Hi,

I believe (but could be wrong) that you are missing some modules. I can't remember off the top of my head, but I believe that you need to have the connection tracking module activated and the state module (don't remember it's name). Unfortunately I can't get a list for you of modules you might need right now, but you will need to have a few target modules, and a few modules to be inserted (using -m module_name). This will depend on what you really want to filter out, and you will need to experiment and be creative. iptables loads the kernel modules for you, so you shouldn't need to worry about too much there. It won't hurt if you build kernel modules you aren't using, lsmod will tell you which ones to keep.

Good luck with it all. iptables is not the easiest tool to use, but it does give you the most control (in my opinion anyway).

----------

## nastasa_andrey

Try to compile all the modules of ip_tables and xtable support. When you will modprobe ip_tables the missing modules will be load automaticly. Hope this helps.

----------

## dway

thx for responses, I'll try tomorrow to check everything in the kernel config and remove unuse modules regarding lsmod output.

I'll post here for the results   :Wink: 

----------

## at240

dway

This isn't really a solution to your problem, but have you considered using something like shorewall as a kind of front-end to iptables? It makes configuration of a powerful firewall much easier than using iptables directly. I'd strongly recommend it if you're finding iptables a bit problematic.

at240   :Smile: 

----------

## Jerem

What about "Automatic Modules loading" in the kernel configuration ?

This eliminates every "module not loaded" error you could ever have...

Also, you can safely enable all the iptables modules. That does not hurt, as they are loaded only when needed.

----------

## dway

The "Automatic Modules loading" is already checked from previous times, so it's not that (I saw the thread about it before posting, see my first post). But thx for mentioning it ^^

----------

## dway

Yop,

I've try to check every module of xtables and iptables but still the same problem : the second rule of the HOWTO break the iptables-restore.

Here is my kernel config in details :

```
Loadable module support  --->

    [*] Enable loadable module support

    [*]   Module unloading

    [ ]     Forced module unloading

    [ ]   Module versioning support

    [ ]   Source checksum for all modules

    [*]   Automatic kernel module loading

Networking  --->

    --- Networking support

          Networking options  --->

            [ ] Network packet debugging

            <*> Packet socket

            [ ]   Packet socket: mmapped IO

            <*> Unix domain sockets

            < > PF_KEY sockets

            [*] TCP/IP networking

            [*]   IP: multicasting

            [ ]   IP: advanced router

            [ ]   IP: kernel level autoconfiguration

            < >   IP: tunneling

            < >   IP: GRE tunnels over IP

            [ ]   IP: multicast routing

            [ ]   IP: ARP daemon support (EXPERIMENTAL)

            [ ]   IP: TCP syncookie support (disabled per default)

            < >   IP: AH transformation

            < >   IP: ESP transformation

            < >   IP: IPComp transformation

            < >   IP: tunnel transformation

            <*>   INET: socket monitoring interface

            [ ]   TCP: advanced congestion control

                  IP: Virtual Server Configuration  --->

            < >   The IPv6 protocol

            [*] Network packet filtering (replaces ipchains)  --->

                      --- Network packet filtering (replaces ipchains)

                      [ ]   Network packet filtering debugging

                            Core Netfilter Configuration  --->

                                < > Netfilter netlink interface

                                < > Layer 3 Independent Connection tracking (EXPERIMENTAL)

                                <M> Netfilter Xtables support (required for ip_tables)

                                <M>   "CLASSIFY" target support

                                <M>   "MARK" target support

                                <M>   "NFQUEUE" target Support

                                <M>   "comment" match support

                                <M>   "DCCP" protocol match support

                                <M>   "length" match support

                                <M>   "limit" match support

                                <M>   "mac" address match support

                                <M>   "mark" match support

                                <M>   "pkttype" packet type match support

                                <M>   "realm" match support

                                <M>   "sctp" protocol match support

                                <M>   "string" match support

                                <M>   "tcpmss" match support

                            IP: Netfilter Configuration  --->

                                < > Connection tracking (required for masq/NAT)

                                < > IP Userspace queueing via NETLINK (OBSOLETE)

                                <M> IP tables support (required for filtering/masq/NAT) 

                                <M>   IP range match support

                                <M>   Multiple port match support

                                <M>   TOS match support

                                <M>   recent match support

                                <M>   ECN match support

                                <M>   DSCP match support

                                <M>   AH/ESP match support

                                <M>   TTL match support

                                <M>   Owner match support

                                <M>   address type match support

                                <M>   hashlimit match support

                                <M>   Packet filtering

                                <M>     REJECT target support 

                                <M>   LOG target support 

                                <M>   ULOG target support (OBSOLETE)

                                <M>   TCPMSS target support

                                <M>   Packet mangling

                                <M>     TOS target support 

                                <M>     ECN target support 

                                <M>     DSCP target support 

                                <M>     TTL target support 

                                <M>   raw table support (required for NOTRACK/TRACE)

                                < > ARP tables support

                  DCCP Configuration (EXPERIMENTAL)  --->

                  SCTP Configuration (EXPERIMENTAL)  --->

                  TIPC Configuration (EXPERIMENTAL)  --->

            < > Asynchronous Transfer Mode (ATM) (EXPERIMENTAL)

            < > 802.1d Ethernet Bridging

            < > 802.1Q VLAN Support

            < > DECnet Support

            < > ANSI/IEEE 802.2 LLC type 2 Support

            < > The IPX protocol

            < > Appletalk protocol support

            < > CCITT X.25 Packet Layer (EXPERIMENTAL)

            < > LAPB Data Link Driver (EXPERIMENTAL)

            [ ] Frame Diverter (EXPERIMENTAL)

            < > Acorn Econet/AUN protocols (EXPERIMENTAL)

            < > WAN router

                  QoS and/or fair queueing  --->

                  Network testing  --->

    [ ]   Amateur Radio support  --->

    < >   IrDA (infrared) subsystem support  --->

    < >   Bluetooth subsystem support  --->

    < >   Generic IEEE 802.11 Networking Stack

```

lsmod gives the same thing than from my first post.

Maybe I forgot some check in the kernel config ?

thx for help  :Smile: 

----------

## step

Hi,

same problem here. 

The http://gentoo-wiki.com/HOWTO_Iptables_for_newbies is not complete. 

I started to load those rules manually from the etc/iptables.bak 

Looks like i have a problem with 

iptables 

```
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
```

so i added all the modules, like you have.

Only difference is: 

```
                              <M> Layer 3 Independent Connection tracking (EXPERIMENTAL)

                                     [*]   Connection tracking flow accounting

                                     [*]   Connection mark tracking support

                                     [*]   Connection tracking events (EXPERIMENTAL)

```

Now lsmod shows something else:

```
$  lsmod

Module                  Size  Used by

ipt_REJECT              3712  0

xt_tcpudp               2944  0

nf_conntrack_ipv4       7560  0

xt_state                2048  0

nf_conntrack           41044  2 nf_conntrack_ipv4,xt_state

iptable_filter          2304  0

ip_tables              10456  1 iptable_filter

x_tables                9860  4 ipt_REJECT,xt_tcpudp,xt_state,ip_tables

```

Last edited by step on Mon Aug 21, 2006 12:28 pm; edited 1 time in total

----------

## dway

*bump*

I still have the same problem, no evolution from the last time, can't understand why...

----------

## step

I also installed kmyfirewall that needs modules like:

ip_conntrack_irc

ip_conntrack_ftp

ip_conntrack. 

looks like we also need modules from:

```
      Networking options  --->

      --- Network packet filtering

           IP: Netfilter Configuration  --->

     <M> Connection tracking (required for masq/NAT)

           [*]   Connection tracking flow accounting

             [*]   Connection mark tracking support  

             [*]   Connection tracking events (EXPERIMENTAL) 

             < >   SCTP protocol connection tracking support (EXPERIMENTAL) 

             <M>   FTP protocol support  

             <M>   IRC protocol support  

             <M>   NetBIOS name service protocol support (EXPERIMENTAL)  

             <M>   TFTP protocol support  

             < >   Amanda backup protocol support  

             <M>   PPTP protocol support  

             < >   H.323 protocol support (EXPERIMENTAL) 

```

----------

## UgolinoII

enabling 'advanced routing'

```
Networking options  --->

   [*] TCP/IP networking

      [*] IP: advanced router
```

...unlocks a secret level...   :Very Happy: 

```
[*] Network packet filtering (replaces ipchains)  --->

    Core Netfilter Configuration  --->

        <M> Netfilter Xtables support (required for ip_tables)

            <M>   "state" match support
```

amongst others.

its taken me w few hours to find that easter egg! now im off to kill sephiroth with my "make install" summon.

----------

## UgolinoII

my mistake...

its not "enable advanced routing" at all

its <*> Layer 3 Independent Connection tracking (EXPERIMENTAL) 

 :Embarassed: 

----------

