Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : cannot load iptables

[linktome]

# apf -r
Unable to load iptables module (ip_tables), aborting.

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

# uname -a
Linux servername 2.6.17.9 #1 SMP Sun Aug 27 17:08:11 ICT 2006 i686 athlon i386 GNU/Linux


is there any reason that I cannot use iptables? If I edit monokern option in apf to 1, I cannot use ftp in passive mode

thanks

[Steven]

Your kernel is not compiled with iptables as a modules. You need to recompile it.

[linktome]

Steven, when re-compile it, how to choose iptables as a module? I think I have chosen "M" for all options of iptables when doing menuconfig, but I am not sure if it's the correct location.

Do I need to install module-init-tools? I am upgrading kernel from CentOS 4.3

[Steven]

do not install module-init-tools.

[sasha]

Just for fun, if you do not mind, try changing SET_MONOKERN=1 in apf.conf and see how that goes.

apf.conf can usually be found in /etc/apf/

[Steven]

Did you read his post? He didnt want that because he cant use passive mode. Hes already tried it.

[sasha]

Quote:

Originally Posted by Steven

Did you read his post? He didnt want that because he cant use passive mode. Hes already tried it.

I admit i did not read the last line. But, I do stand by my solution. When he sets SET_MONOKERN=1 his apf script will not fail while loading modules (which are compiled in the kernel it would seem).

He should check conf.apf and see IG_TCP_CPORTS and add the range of ports that his ftp server uses for passive connections like 3000_3500 (if his ftp server uses ports 3000 - 3500) for passive replies.

[Steven]

Passive ftp will not work correctly when monokern is enabled due to conntrack issues when egress is enabled. Without monokern enabled you should not need to open any range of ports since it should dynamically open the ports for ftp.

Your solution is a makeshift fix.

[sasha]

Quote:

Originally Posted by Steven

Your solution is a makeshift fix.

You are absolutely right, but it is the fix never the less.

That being said, perfect solution, as you suggested, wold be rebuilding kernel and selecting iptables as modules. Ether way tough, things will work just fine. Personally if I can postpone reboot until next kernel upgrade I will.

[linktome]

I have recompiled kernel with M option for all in [*] Network packet filtering (replaces ipchains) --->
IP: Netfilter configuration --->

however, I still have error
Unable to load iptables module (ipt_state), aborting.

Is there something I am still missing?

[TheSpidre]

Quote:

Originally Posted by linktome

I have recompiled kernel with M option for all in [*] Network packet filtering (replaces ipchains) --->
IP: Netfilter configuration --->

however, I still have error
Unable to load iptables module (ipt_state), aborting.

Is there something I am still missing?

Same here..

Anyone with an example config who could help?

[sasha]

`"state" match support` is now in
[*] Network packet filtering (replaces ipchains) --->
Core Netfilter Configuration --->

[lovelynetworks]

I am having same problems.

Quote:

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I don't know how to recompile kernal. Any help would be highly appreciated.

[Steven]

if you are using apf, to fix the state issue you need this:

http://www.webhostingtalk.com/showthread.php?t=527382

[TheSpidre]

Quote:

Originally Posted by Steven

if you are using apf, to fix the state issue you need this:

http://www.webhostingtalk.com/showthread.php?t=527382

Great thanks! What about this error?

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.