Converting iptables firewall from 2.4 .to 2.6 kernel
oldcurmudgeon at gmail.com
Wed Mar 30 23:42:44 CEST 2005
I tried upgrading a Debian stable firewall to sarge. That part went
fine, but when I
tried upgrading the locally-built 2.4.19 kernel to 22.214.171.124 the
results were not as
The first (and easily fixed) problem was that eth0 and eth1 were
least I verified that my anti-spoofing rules worked. After swaping the
firewall could conect to internal and external machines, internal hosts could
connect to the firewall, external hosts could connect to the firewall,
could send packets to exernal hosts, but packets from outside hosts to inside
hosts never crossed to the inside.
Running tcpdump on both interfaces shows packets from outside hosts to
inside hosts hit the external interface but never appear on the
whether it is an initial connection from outside or a reply packet to a packet
initiated on the inside.
I'm using the same scripts to set routes, ip_forward, rp_filter,
The only rthing changing is the kernel (and both have iptables support built in,
not as modules).
Did the locations of things in proc change in 2.6, or any other ideas on how
to debug this? Iptables version is now 1.2.4, it was 1.2 before.
Booting back into
the 2.4. kernel (and swapping the cables) makes it work properly, so the only
variable now is the kernel version (i.e., it all works fine with the
2.4 kernel and
all the new sarge utilities/libraries, etc.).
More information about the netfilter