IPTables and "state match support"

Tagged: iptables netfilter

This topic has 17 replies, 1 voice, and was last updated 1 year, 8 months ago by berlin0099.

Viewing 15 posts - 1 through 15 (of 18 total)

1 2 →

Author

Posts
June 21, 2017 at 3:40 pm #523

brianb
Participant

I have Ubuntu 16.04 installed and am trying to configure the ESPRESSObin for use as a firewall using shorewall. After setting up the configuration files, I ran “shorewall check” and got the following error:

Checking using Shorewall 5.0.4…
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

I compiled the kernel using the information on the wiki (http://wiki.espressobin.net/tiki-index.php?page=Ubuntu+-+initial+network+configuration).

Any ideas on how to fix it?

June 21, 2017 at 6:18 pm #525

dpreviti
Participant

Hey brian,

I’ve been working on this for a few days as well, as far as I can tell the kernel isn’t built with the iptables modules.

After some searching I’ve tried using mod_probe and the modules are not available for the kernel compiled using that guide. I’ve also tried using the pre-built kernel of the tech page, and also had no luck,

If you can figure out how to make this work, please post your solution.

THANKS!!

June 21, 2017 at 8:59 pm #528

brianb
Participant

That is consistent with what I am seeing as well. lsmod returns nothing and /proc/modules is empty.

June 21, 2017 at 9:22 pm #529

dpreviti
Participant

Brian,

Just one further attempt I’ve tried and again if this helps anyone figure this out I would love to know how they did it.

I tried installing the Linux-generic-headers & Linux-generic packages thinking if I could get the board to load that kernel I would have the headers I needed. They installed but even trying multiple times, I could not get the board to re-flash and use the new generic image. I tried using “aptitude –safe-upgrade” and apt and neither wanted to work.

still getting
david@espressobin/~:uname -a
Linux espressobin.localdomain 4.4.8-armada-17.02.1-gb8d7d22 #1 SMP PREEMPT Tue Feb 7 14:04:11 PST 2017 aarch64 aarch64 aarch64 GNU/Linux

June 30, 2017 at 12:24 am #613

brianb
Participant

I am after better luck after doing the following:
1. Downloading the kernel .config file mentioned on the Ubuntu “initial network configuration page”
2. Running make menuconfig
3. Making sure the following items were selected
> Networking Support
> Networking Options
> Network Packet Filtering Framework (Netfilter)
> Core Netfilter Configuration
* FTP protocol support
* PPtP protocol support
* “TCPMSS” target support
* “conntrack” connection tracking match support
* “hashlimit” match support
* “helper” match support
* “iprange” address range match support
* “limit” match support
* “multiport” Multiple port match support
* IPsec “policy” match support
* “pkttype” packet type match support
* “state” match support
> IP: Netfilter Configuration
* REJECT target support NEW
* NETMAP target support
* REDIRECT target support
* Packet mangling
* raw table support (required for NOTRACK/TRACE)
4. Running “make -j4” to build the kernel

June 30, 2017 at 12:48 pm #614

dpreviti
Participant

Thank You! I’m away from the house for a few days, but I’ll defiantly give this a try when I get home.

Do you mind if I repost some of this with my additional notes in another forum, I mod the subreddit espressobin.

Thanks again!!

June 30, 2017 at 3:27 pm #617

brianb
Participant

Feel free to pass this information along to anyone that might be interested. FYI, I have not had the time or energy to try and identify the minimum set of options that are required. Also, while “shorewall check” works with the options above, shorewall itself will not start. Running “shorewall debug start” seems to point to some missing logging capabilities. If I have the time this weekend, I will see if I can track down the cause of the problem and post an update here.

July 2, 2017 at 7:54 pm #624

dpreviti
Participant

Huh. I rebuilt the kernel with the options you had, reinstalled iptables, and I’m still getting

iptables v1.6.0: can’t initialize iptables table `filter’: Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

no clue.

July 3, 2017 at 6:00 pm #628

brianb
Participant

Ok. I finally managed to get shorewall to start. Here are the details of what I did to build the kernel:

Much of this information was taken from the espressobin wiki
http://wiki.espressobin.net/tiki-index.php?page=Build+From+Source+-+Kernel
http://wiki.espressobin.net/tiki-index.php?page=Ubuntu+-+initial+network+configuration

1. Make a directory for the source code
sudo mkdir -p kernel/4.4.8
2. Go to the directory
cd kernel/4.4.8
3. Use git to download the source code
sudo git clone https://github.com/MarvellEmbeddedProcessors/linux-marvell .
sudo git checkout linux-4.4.8-armada-17.02-espressobin
4. Downoad the configuration file with “NETFILTER/IPTABLES/NAT features enabled”
sudo wget -O nat_config http://wiki.espressobin.net/tiki-download_file.php?fileId=86
5. Set up the necessary environment variables
export PATH=$PATH:/mnt/usb/toolchain/gcc-linaro-5.2-2015.11-2-x86_64_aarch64-linux-gnu/bin
export ARCH=arm64
export CROSS_COMPILE=aarch64-linux-gnu-
6. Generate the default configuration file
make mvebu_v8_lsp_defconfig
7. Backup the configuration file
mv .config .config.bak
8. Copy the configuration file downloaded above
cp nat_config .config
7. Edit the configuration file, including IP_NF_FILTER
vim .config

CONFIG_IP_NF_FILTER=y
8. Specify additional options using menuconfig. NOTE: all options were compiled in the kernel (*), and modules (M) were not used
make menuconfig
> Networking Support
> Networking Options
> Network Packet Filtering Framework (Netfilter)
* Network packet filtering debugging
* Advanced netfilter configuration
* Bridged IP/ARP packets filtering
* IP set support
* IP virtual server support
* Ethernet Bridge tables (ebtables) support
> Core Netfilter Configuration
Include All Items
> IP: Netfilter Configuration
Include All Items
9. Backup the configuration file
cp .config nf_config
10. Build the kernel
make -j4

July 3, 2017 at 6:02 pm #629

brianb
Participant

Please note that after building the kernel as described above, I was able to install shorewall, configure it, and run “service shorewall start”. I have not, however, had an opportunity to test it thoroughly.

July 5, 2017 at 4:15 pm #634

brianb
Participant

@dpreviti, any luck getting things to work? If not, I can see about getting you a copy of the compiled kernel that I am using.

July 6, 2017 at 3:52 pm #647

dpreviti
Participant

Brian,

Unfortunately no. I’m a bit baffled too since I followed the directions and confirmed the configuration files had all the options set. I even double checked the modules.builtin file and it look like iptables and netfilter were included.

Anyway if you could post a url somewhere for your kernel I’d be very appreciative.

July 7, 2017 at 4:07 pm #649

brianb
Participant

@dpreviti
Here are links to the Image and armada-3720-community.dtb files that I built. Hopefully they work for you. I tried putting together a quick web page with details about the build process that I went through, but I’m having DNS issues right now. If I can get them resolved, I’ll post the link here.

Brian

armada-3720-community.dtb: https://1drv.ms/u/s!Ai_VNtzdCxZDkzzUub8GssjpULDL
Image: https://1drv.ms/u/s!Ai_VNtzdCxZDkz38en5TSZsKh913

July 7, 2017 at 10:39 pm #650

dpreviti
Participant

Your awesome man that worked like a charm. No idea why I failed, but Thanks!!!

July 7, 2017 at 11:10 pm #651

brianb
Participant

@dpreviti

I’m glad it worked. Assuming I can get the DNS issues sorted out, I hope to have a web page available next week with more details about exactly what I did. I’ll post the URL here when I can.
Author

Posts

Viewing 15 posts - 1 through 15 (of 18 total)

1 2 →

You must be logged in to reply to this topic.