cant use iptable extensions
Samuel Díaz García
samueldg at arcoscom.com
Mon Sep 20 09:53:27 UTC 2004
The connlimit extension (the owner extension I don't know) is not included
in the kernel sources (as u can see in netfilter.org) because aren't stable
"patches".
I needed to do this:
1) My kernel sources (2.4.x in my case, 2.6.x in your case).
2) Last version of patch-o-matic sources to netfilter.
3) IPTABLES sources.
4) See readme files in patch-o-matic sources for netfilter, it will patch
the netfilter in kernel sources and iptables sources.
5) Apply the patches to kernel and iptables.
6) Configure your kernel with "experimental options" and compile.
7) Compile patched iptables.
8) Make a backup of your iptables binary before install the new patched
iptables.
9) Test your new kernel and your new iptables before use it into a
production environment.
P.D.: Sorry for my poor english.
Michael Schwendt writes:
> On Mon, 20 Sep 2004 17:22:50 +0900 (JST), d l wrote:
>
>> I am using vanilla Fedora Core 2, without configuring
>> firewall in anaconda during initial install.
>>
>> Simple rules seems to works with built in modules. e.g.
>> iptables -A INPUT -p ICMP -j DROP
>>
>> However when I tried to use extension modules like
>> <connlimit> and <owner>, iptables always gives me error.
>>
>> For <owner>:
>> iptables -m owner --help
>> .......
>> OWNER match v1.2.9 options:
>> [!] --uid-owner userid Match local uid
>> [!] --gid-owner groupid Match local gid
>> [!] --pid-owner processid Match local pid
>> [!] --sid-owner sessionid Match local sid
>> [!] --cmd-owner name Match local command name
>>
>> # iptables -A INPUT -m owner --cmd-owner mlnet -j test
>> iptables: Invalid argument
>
> It doesn't work like that. Read "man iptables" again. Why your command
> doesn't work is explained in the OWNER extension section.
>
>> And similar results with <connlimit> extension.
>>
>> There are corresponding so files in /lib/iptables for that
>> 2 extensions.
>> /lib/iptables/libipt_connlimit.so
>> /lib/iptables/libipt_owner.so
>
> I don't see a netfilter connlimit kernel module, so that could mean
> it's neither built nor supported. In case the extension is included
> in the stock Linux kernel, that might be a package bug.
>
> --
> Fedora Core release 2 (Tettnang) - Linux 2.6.7-1.494.2.2
> loadavg: 0.00 0.19 0.38
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
Samuel Díaz García
Director Gerente
ArcosCom Wireless, S.L.L.
mailto:samueldg at arcoscom.com
http://www.arcoscom.com
móvil: 651 93 72 48
tlfn/fax: 956 70 13 15
More information about the fedora-list
mailing list