Trouble installing netfilter/iptables (long)
Ms. Geekgirl
geekgirl@antionline.org
Tue, 10 Jul 2001 11:14:55 -0700
My apologies if this is too long for the list.
This is my first attempt at working with netfilter/iptables. Is there
a document that lists what software that must be loaded in order for
me to compile and install iptables properly?
The patch fails repeatedly, but doesn't tell me why. I've read through
many documents, but could not find any info that would clue a clueless
admin(that would be me) as to what was wrong and where to look next.
I've been able to strip down my system and compile my kernel(many times)
and have been able to work through any of the errors that I've received,
but for all I know, I may have stripped down my system just a little
too much.
Once I had a stable kernel, which consisted of no modules(actually turned
off module support) and compiled as little as I thought was needed right
into the kernel(650k). Then I started to install additional software
that I needed.
Here is my system information.
Redhat v7.1 (2.4.2-2), Pentium 90, 80M RAM, 2GB IDE, dual NIC(3c509-ISA,
e100b-PCI). Source resides in /usr/src/linux.
Some of the doc's followed:
http://netfilter.filewatcher.org/unreliable-guides/
http://netfilter.filewatcher.org/unreliable-guides/netfilter-hacking-HOWTO/index.html
http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq-beta/c-html/ipmasq-compiling3.1.html
http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq-beta/c-html/ipmasq-background2.6.html
and some trade rags.
This is the how I went through trying to get iptables to work. I downloaded
iptables-1.2.2.tar.bz2 and unpacked it. Per the INSTALL file, I ran
'make pending-patches' which proceeded to zip through some screens(suggestion:
don't clear the screen between checks.) and ended up at a screen like:
- - - - - screen - - - - -
Testing... 2.4.4.patch NOT APPLIED ( 2 missing files)
The 2.4.4 patch:
Author: Rusty Russell <rusty@rustcorp.com.au> and others.
Status: Recommended (Already in 2.4.4 and above).
This contains numerous fixes:
1) FTP cleanup:
o Fixes for bugtraq-announced FTP security problems.
o Understanding of EPSV and EPRT FTP extensions.
o Servers with unusual PASV responses are supported.
o FTP connection tracking and NAT on unusual ports.
o Core "helper" code moved to ip_nat_helper.c.
2) NAT now doesn't drop untracked packets (eg. multicast, nmap, etc).
3) SMP race with connection tracking is fixed.
4) NAT now spreads more evenly, if given a range of IP addresses.
5) Masquerading now cooperates with diald better.
6) DNAT and SNAT rules can only be inserted in the "nat" table.
7) mtr through a connection tracking box will no longer drop 90% of packets.
8) Reloading the iptable_nat module won't get old, stale NAT information.
9) First packet of a connection is seen by the helper functions.
10) "hashsize" parameter to ip_conntrack module.
Do you want to apply this patch [N/y/t/f/q/?]
- - - - - screen - - - - -
If I go ahead and say 'test' it comes back with:
- - - - - screen - - - - -
Testing patch 2.4.4.patch...
Failed to patch copy of /usr/src/linux
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/q/?]
- - - - - end screen - - - - -
I went ahead and said yes, which it proceeded to tell me that it failed and
that the patch was not applied. I would then exit and it would reply with
'Excellent! Kernel is now ready for compilation.' - huh? I did this a few more
times and I would get this message or a 'Bye!'.
I then though that maybe I didn't have all the reuqired software, so
I proceeded to do a make and a make install(I did modify the Makefile
so the section would look like the following(I had found the default iptables
and library entries in these directories.
#LIBDIR:=/usr/local/lib
#BINDIR:=/usr/local/sbin
LIBDIR:=/lib
BINDIR:=/sbin
MANDIR:=/usr/local/man
INCDIR:=/usr/local/include
The make and make install went without a hitch. Of course, the program wouldn't
load and I took the hint that maybe I needed to have modules support(there was an
error that it couldn't load ip_tables.o or something of the sort. So I went
back to the document at
http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq-beta/c-html/ipmasq-compiling3.1.html
and followed the section that explained what to include in the kernel(1/3 way down
the doc.)
I did enable modules and included all of the things that were suggested. I ran
make dep;make clean without a hitch. I ran make bzImage and it was clean. Then I
ran make modules and this didn't work very well. Here is a subset of about 400
lines of errors. I've included the section just prior to the first error, so you
get a feeling of where it was going good, then bad. I also have the final abort.
- - - - screen - - - -
make[1]: Entering directory `/usr/src/linux-2.4.2/net'
make -C ipv4 modules
make[2]: Entering directory `/usr/src/linux-2.4.2/net/ipv4'
make[2]: Nothing to be done for `modules'.
make[2]: Leaving directory `/usr/src/linux-2.4.2/net/ipv4'
make -C ipv4/netfilter modules
make[2]: Entering directory `/usr/src/linux-2.4.2/net/ipv4/netfilter'
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -O2 -fomit-frame-point
er -fno-strict-aliasing -fno-common -Wno-unused -pipe -mpreferred-stack-boundary=2 -march=
i586 -DMODULE -DMODVERSIONS -include /usr/src/linux/include/linux/modversions.h -DEXPORT
_SYMTAB -c ip_conntrack_standalone.c
In file included from /usr/src/linux/include/linux/skbuff.h:18,
from /usr/src/linux/include/linux/netfilter.h:7,
from ip_conntrack_standalone.c:12:
/usr/src/linux/include/linux/kernel.h:51: nondigits in number and not hexadecimal
/usr/src/linux/include/linux/kernel.h:51: nondigits in number and not hexadecimal
/usr/src/linux/include/linux/kernel.h:51: parse error before `01075bf0'
/usr/src/linux/include/linux/kernel.h:52: `panic_R_ver_str' declared as function returning
a function
/usr/src/linux/include/linux/kernel.h:52: warning: function declaration isn't a prototype
/usr/src/linux/include/linux/kernel.h:57: parse error before `20000329'
/usr/src/linux/include/linux/kernel.h:57: `simple_strtoul_R_ver_str' declared as function
returning a function
/usr/src/linux/include/linux/kernel.h:57: warning: function declaration isn't a prototype
/usr/src/linux/include/linux/kernel.h:58: nondigits in number and not hexadecimal
/usr/src/linux/include/linux/kernel.h:58: nondigits in number and not hexadecimal
/usr/src/linux/include/linux/kernel.h:58: nondigits in number and not hexadecimal
/usr/src/linux/include/linux/kernel.h:58: parse error before `0b742fd7'
/usr/src/linux/include/linux/kernel.h:58: `simple_strtol_R_ver_str' declared as function r
eturning a function
.
. many many many errors omitted.
.
/usr/src/linux/include/net/sock.h:1274: warning: implicit declaration of function `put_cms
g_Rf39bf4d9'
ip_conntrack_standalone.c: In function `print_tuple':
ip_conntrack_standalone.c:43: warning: implicit declaration of function `sprintf_R3c2c5af5
'
ip_conntrack_standalone.c: In function `print_conntrack':
ip_conntrack_standalone.c:78: `jiffies_R0da02d67' undeclared (first use in this function)
ip_conntrack_standalone.c: In function `ip_conntrack_local':
ip_conntrack_standalone.c:221: warning: implicit declaration of function `net_ratelimit_Rf
6ebc03b'
ip_conntrack_standalone.c:222: warning: implicit declaration of function `printk_R1b7d4074
'
make[2]: *** [ip_conntrack_standalone.o] Error 1
make[2]: Leaving directory `/usr/src/linux-2.4.2/net/ipv4/netfilter'
make[1]: *** [_modsubdir_ipv4/netfilter] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.2/net'
make: *** [_mod_net] Error 2
- - - - end screen - - - -
I have this funny feeling that I'm missing some software, but I'm
obviously having a duh-day and can't see it.
Thank you very much for reading this far and I look forward to hearing
back on some pointers for help.
gg
(Like a seedling in Spring, green and vulnerable.)
------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!