Several problems installing Netfilter

[Rickard Andersson]

Hi!

I'm a linux-newbie, so go easy on me ;)

I've just installed Slackware 7.1 on a computer at home (two nics, one
connected to my ADSL-modem (DHCP)) which I intend to use as a
gateway/firewall and I'm having some
problems.

I have been using the "Beta version of IP Masquerade HOWTO v2.00.0610" and I
have been following it very strictly. I have downloaded and compiled the
latest kernel (2.4.5) and the latest Netfilter (1.2.2), but not without
problems.
Here are my questions:

1. The HOWTO recommends that I should download and unpack the kernel in
something like /usr/src/kernel/ and then to download and unpack the
Netfilter source in something like /usr/src/archive/netfilter. I've tried to
do exactly that and then to update the kernel source with the command "make
pending-patches KERNEL_DIR=/usr/src/kernel/linux" and it works, but my
question is why it won't work if I put the kernel source directly in
/usr/src/linux-2.4.5 and update the link /usr/src/linux so that it points to
/usr/src/linux-2.4.5 instead of /usr/src/linux-2.2.16 and then do a "make
pending-patches KERNEL....."? I get the error "make: ***
[/usr/src/linux/include/asm/socket.h] Error 1". This error is discussed in
the HOWTO, but I didn't create the link with a trailing / as the HOWTO
mentions as a possible .

I've even tried removing the old kernel source (2.2.16) and the link
(/usr/src/linux) completely and then unpacking the new kernel source
directly into /usr/src/linux/ but I get the same error.

As I said before, it works if I do it exactly as it sais in the HOWTO, but
stuff like this can really annoy me for a long time if I don't find out
what's causing it. Being a newbie trying to really understand things and all
;)

2. Well, as I said, I've been able to compile the new kernel with all the
iptables-stuff as modules (as in the HOWTO), but when I execute the
recommended rc.firewall (simple) it doesn't find any of the modules. I
thought they were going to be placed in /lib/modules/2.4.5/ipv4 (like the
ipchains-modules are in 2.2.16), but instead they end up in
/lib/modules/2.4.5/kernel/net/ipv4/netfilter/ (or something like that) where
the system obviously can't find them. I tried moving them to
/lib/modules/2.4.5/ipv4/ and then it works, but why don't they end up there
by default? I guess it's the "make modules_install" that puts them there,
but why? Very confusing for a newbie like myself.

3. Last but definately not least I'm having problems with the "gatewaying"
itself! I am able to ping both linux box nics from my Windows 2000 box and
to ping the Windows box nic from the linux box (a little confusing there),
but I can't ping an external IP from the Windows box. As I was browsing
through the mailing list I notices someone with similar problems and someone
else pointed out that he should replace:

/usr/local/sbin/iptables -A FORWARD -j DROP

with

/usr/local/sbin/iptables -A FORWARD -j ALLOW

I think that was it. The user that asked the question answered that this
didn't do the trick for him and I, in all confusion and anger, just did a
fresh install of Slackware 7.1, so I haven't been able to test it myself.

My question is why the HOWTO would recommend using DROP instead of ALLOW if
DROP results in it not working?


Phew! I really hope someone can answer at least some of my questions.