Jake L. Wegman
jake@ultrex.com
Mon, 2 Jul 2001 08:56:48 -0500
Good morning Rickard,
Perhaps I can assist you in the 2.4.x kernel issues.
If you switch from a 2.2.x kernel to a 2.4.x kernel, the source code
directory structure changes as you have noted. The /usr/include has three
very important links to the source code tree.
For instance, if your kernel source code was unpacked to /usr/src/linux, or
was unpacked to /usr/src/linux-2.4.5 then LINKED to /usr/src/linux, you need
to create three links from /usr/include:
Change directories to /usr/include
cd /usr/include
Remove the existing links
rm -rf asm linux scsi
Create NEW links to new source code tree
ln -s /usr/src/linux/include/asm-i386 asm
ln -s /usr/src/linux/include/linux linux
ln -s /usr/src/linux/include/scsi scsi
The second issue you were having was with the modules not installing. You
will need to upgrade the modutils package. I'm running the 2.4.5 kernel
with the modutils-2.4.6. You can find the most recent modutils on
ftp://ftp.kernel.org - go to: /pub/linux/utils/kernel/modutils/v2.4 - I use
modutils-2.4.6.tar.gz
I unpack the modutils-2.4.6.tar.gz to /usr/src/ (tar zxpf
modutils-2.4.6 creates a directory in /usr/src/ named modutils-2.4.6
automatically) then:
./configure (read the INSTALL file for configuration items)
make
make install
Compile the kernel, then make SURE to run per the kernel installation
document
:
make modules - (this compiles the modules)
make modules_install - (this installs the modules)
after the kernel compilation completes - this should correctly install the
modules.
You also need to make sure that the System.map file from the kernel source
directory gets copied to /boot/ along with the kernel.
Also appended is my simple firewall script for a very similar configuration
of a gateway machine - I wish I could give credit to the gentleman who
created this script originaly! - the default policy is to DENY everything,
allow all traffic from the internal interfaces etc.
I've remarked some items out that most likely do not apply to you, but might
be of interest - allowing SSH, SMTP and IPSEC to connect to the local
gateway FROM the internet; ALLOWing forward packets of WWW, FTP and port
1327 to internal machines; then DNATing WWW, FTP, and port 1327 to an
internal machine.
Thanks
Jake Wegman
Technology Concepts, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Created 6/20/01
# rc.firewall
#######################################
EXTIP ="209.111.222.333"
EXTINT="eth0"
INTNET="10.0.0.0/24"
INTINT="eth1"
INTIP="10.0.0.253"
#
IPTABLES="/usr/local/sbin/iptables"
#
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
/usr/local/sbin/iptables -F
/usr/local/sbin/iptables -X
/usr/local/sbin/iptables -Z
############################################################################
#
# * filter table *
$IPTABLES -t filter -F INPUT
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -A INPUT -m state --state INVALID -j DROP
$IPTABLES -t filter -A INPUT -i $INTINT -m state --state NEW -j ACCEPT
$IPTABLES -t filter -A INPUT -i $EXTINT -p icmp --icmp-type echo-request -j
DROP
$IPTABLES -t filter -A INPUT -p tcp -d $EXTIP --dport auth -j REJECT
--reject-with tcp-reset
$IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Allow services in INPUT chain - local services provided by the
firewall
#
#$IPTABLES -t filter -A INPUT -m state --state NEW -i $EXTINT -p tcp --dport
ssh -j ACCEPT
#$IPTABLES -t filter -A INPUT -m state --state NEW -i $EXTINT -p tcp --dport
25 -j ACCEPT
#
# Allow in for IPSEC
#
#$IPTABLES -t filter -A INPUT -m state --state NEW -i $EXTINT -p udp --dport
500 -j ACCEPT
#$IPTABLES -t filter -A INPUT -m state --state NEW -i $EXTINT -p 50 -j
ACCEPT
$IPTABLES -t filter -A INPUT -i lo -j ACCEPT
$IPTABLES -t filter -A INPUT -i dummy -j ACCEPT
$IPTABLES -t filter -A INPUT -m limit -j LOG
#
$IPTABLES -t filter -F FORWARD
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -t filter -A FORWARD -i $INTINT -j ACCEPT
#
# Allow services in FORWARD chain - remote services beyond the firwall
#
#$IPTABLES -t filter -A FORWARD -m state --state NEW -i $EXTINT -p tcp
--dport 80 -j ACCEPT
#$IPTABLES -t filter -A FORWARD -m state --state NEW -i $EXTINT -p tcp
--dport 1327 -j ACCEPT
#$IPTABLES -t filter -A FORWARD -m state --state NEW -i $EXTINT -p tcp
--dport 21 -j ACCEPT
#
$IPTABLES -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -t filter -A FORWARD -j DROP
#
$IPTABLES -t filter -F OUTPUT
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -t filter -A OUTPUT -o $INTINT -d $INTNET -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $EXTINT -d $INTNET -j DROP
$IPTABLES -t filter -A OUTPUT -o $EXTINT -s $INTNET -j DROP
$IPTABLES -t filter -A OUTPUT -o $EXTINT -p icmp --icmp-type echo-reply -j
DROP
$IPTABLES -t filter -A OUTPUT -o $EXTINT -s $EXTIP -j ACCEPT
$IPTABLES -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o dummy -j ACCEPT
$IPTABLES -t filter -A OUTPUT -m limit -j LOG
############################################################################
#
# * nat table *
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F OUTPUT
# Redirect external traffic to internal resources
#$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport www -j DNAT --to
10.0.0.18:80
#$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport 1327 -j DNAT --to
10.0.0.196:1327
#$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport ftp -j DNAT --to
10.0.0.196:21
#
# Enables SNAT akin to Masquerading for a STATIC IP network - if
dynamic IP, use masq
$IPTABLES -t nat -A POSTROUTING -o $EXTINT -s $INTNET -j SNAT --to $EXTIP
# Enables internal clients using this gateway to redirect to internal
resources
#$IPTABLES -t nat -A POSTROUTING -d 10.0.0.18 -s $INTNET -p tcp --dport www
-j SNAT --to $INTIP
#$IPTABLES -t nat -A POSTROUTING -d 10.0.0.196 -s $INTNET -p tcp --dport
1327 -j SNAT --to $INTIP
#$IPTABLES -t nat -A POSTROUTING -d 10.0.0.196 -s $INTNET -p tcp --dport ftp
-j SNAT --to INTIP
############################################################################
#
# * mangle table *
$IPTABLES -t mangle -F PREROUTING
$IPTABLES -t mangle -F OUTPUT
$IPTABLES -t mangle -A OUTPUT -p tcp -s $EXTIP --dport ssh -j TOS --set-tos
Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp -s $EXTIP --dport ftp -j TOS --set-tos
Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp -s $EXTIP --dport www -j TOS --set-tos
Minimize-Delay
############################################################################
#
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
> -----Original Message-----
> From: "Rickard Andersson" <arpen@home.se>
> To: <netfilter@lists.samba.org>
> Subject: Several problems installing Netfilter
> Date: Sun, 1 Jul 2001 03:27:36 +0200
>
> Hi!
>
> I'm a linux-newbie, so go easy on me ;)
>
> I've just installed Slackware 7.1 on a computer at home (two nics, one
> connected to my ADSL-modem (DHCP)) which I intend to use as a
> gateway/firewall and I'm having some
> problems.
>
> I have been using the "Beta version of IP Masquerade HOWTO v2.00.0610" and
> I
> have been following it very strictly. I have downloaded and compiled the
> latest kernel (2.4.5) and the latest Netfilter (1.2.2), but not without
> problems.
> Here are my questions:
>
> 1. The HOWTO recommends that I should download and unpack the kernel in
> something like /usr/src/kernel/ and then to download and unpack the
> Netfilter source in something like /usr/src/archive/netfilter. I've tried
> to
> do exactly that and then to update the kernel source with the command
> "make
> pending-patches KERNEL_DIR=/usr/src/kernel/linux" and it works, but my
> question is why it won't work if I put the kernel source directly in
> /usr/src/linux-2.4.5 and update the link /usr/src/linux so that it points
> to
> /usr/src/linux-2.4.5 instead of /usr/src/linux-2.2.16 and then do a "make
> pending-patches KERNEL....."? I get the error "make: ***
> [/usr/src/linux/include/asm/socket.h] Error 1". This error is discussed in
> the HOWTO, but I didn't create the link with a trailing / as the HOWTO
> mentions as a possible .
>
> I've even tried removing the old kernel source (2.2.16) and the link
> (/usr/src/linux) completely and then unpacking the new kernel source
> directly into /usr/src/linux/ but I get the same error.
>
> As I said before, it works if I do it exactly as it sais in the HOWTO, but
> stuff like this can really annoy me for a long time if I don't find out
> what's causing it. Being a newbie trying to really understand things and
> all
> ;)
>
> 2. Well, as I said, I've been able to compile the new kernel with all the
> iptables-stuff as modules (as in the HOWTO), but when I execute the
> recommended rc.firewall (simple) it doesn't find any of the modules. I
> thought they were going to be placed in /lib/modules/2.4.5/ipv4 (like the
> ipchains-modules are in 2.2.16), but instead they end up in
> /lib/modules/2.4.5/kernel/net/ipv4/netfilter/ (or something like that)
> where
> the system obviously can't find them. I tried moving them to
> /lib/modules/2.4.5/ipv4/ and then it works, but why don't they end up
> there
> by default? I guess it's the "make modules_install" that puts them there,
> but why? Very confusing for a newbie like myself.
>
> 3. Last but definately not least I'm having problems with the "gatewaying"
> itself! I am able to ping both linux box nics from my Windows 2000 box and
> to ping the Windows box nic from the linux box (a little confusing there),
> but I can't ping an external IP from the Windows box. As I was browsing
> through the mailing list I notices someone with similar problems and
> someone
> else pointed out that he should replace:
>
> /usr/local/sbin/iptables -A FORWARD -j DROP
>
> with
>
> /usr/local/sbin/iptables -A FORWARD -j ALLOW
>
> I think that was it. The user that asked the question answered that this
> didn't do the trick for him and I, in all confusion and anger, just did a
> fresh install of Slackware 7.1, so I haven't been able to test it myself.
>
> My question is why the HOWTO would recommend using DROP instead of ALLOW
> if
> DROP results in it not working?
>
>
> Phew! I really hope someone can answer at least some of my questions.
>
>
>
> --__--__--
>