Results 1 to 22 of 22
  1. #1
    Join Date
    May 2006
    Posts
    307

    cannot load iptables

    # apf -r
    Unable to load iptables module (ip_tables), aborting.

    # iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    # uname -a
    Linux servername 2.6.17.9 #1 SMP Sun Aug 27 17:08:11 ICT 2006 i686 athlon i386 GNU/Linux


    is there any reason that I cannot use iptables? If I edit monokern option in apf to 1, I cannot use ftp in passive mode

    thanks
    Traditional music traveling

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Your kernel is not compiled with iptables as a modules. You need to recompile it.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    May 2006
    Posts
    307
    Steven, when re-compile it, how to choose iptables as a module? I think I have chosen "M" for all options of iptables when doing menuconfig, but I am not sure if it's the correct location.

    Do I need to install module-init-tools? I am upgrading kernel from CentOS 4.3
    Traditional music traveling

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    do not install module-init-tools.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,100
    Just for fun, if you do not mind, try changing SET_MONOKERN=1 in apf.conf and see how that goes.

    apf.conf can usually be found in /etc/apf/

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Did you read his post? He didnt want that because he cant use passive mode. Hes already tried it.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,100
    Quote Originally Posted by Steven
    Did you read his post? He didnt want that because he cant use passive mode. Hes already tried it.
    I admit i did not read the last line. But, I do stand by my solution. When he sets SET_MONOKERN=1 his apf script will not fail while loading modules (which are compiled in the kernel it would seem).

    He should check conf.apf and see IG_TCP_CPORTS and add the range of ports that his ftp server uses for passive connections like 3000_3500 (if his ftp server uses ports 3000 - 3500) for passive replies.

  8. #8
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Passive ftp will not work correctly when monokern is enabled due to conntrack issues when egress is enabled. Without monokern enabled you should not need to open any range of ports since it should dynamically open the ports for ftp.

    Your solution is a makeshift fix.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  9. #9
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,100
    Quote Originally Posted by Steven
    Your solution is a makeshift fix.
    You are absolutely right, but it is the fix never the less.

    That being said, perfect solution, as you suggested, wold be rebuilding kernel and selecting iptables as modules. Ether way tough, things will work just fine. Personally if I can postpone reboot until next kernel upgrade I will.

  10. #10
    Join Date
    May 2006
    Posts
    307
    I have recompiled kernel with M option for all in [*] Network packet filtering (replaces ipchains) --->
    IP: Netfilter configuration --->

    however, I still have error
    Unable to load iptables module (ipt_state), aborting.

    Is there something I am still missing?
    Traditional music traveling

  11. #11
    Quote Originally Posted by linktome
    I have recompiled kernel with M option for all in [*] Network packet filtering (replaces ipchains) --->
    IP: Netfilter configuration --->

    however, I still have error
    Unable to load iptables module (ipt_state), aborting.

    Is there something I am still missing?
    Same here..

    Anyone with an example config who could help?
    I wish I was a carpenter

  12. #12
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,100
    `"state" match support` is now in
    [*] Network packet filtering (replaces ipchains) --->
    Core Netfilter Configuration --->

  13. #13
    Join Date
    May 2006
    Posts
    69
    I am having same problems.
    iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    I don't know how to recompile kernal. Any help would be highly appreciated.

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    if you are using apf, to fix the state issue you need this:

    http://www.webhostingtalk.com/showthread.php?t=527382
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Quote Originally Posted by Steven
    if you are using apf, to fix the state issue you need this:

    http://www.webhostingtalk.com/showthread.php?t=527382
    Great thanks! What about this error?

    iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    I wish I was a carpenter

  16. #16
    Join Date
    Mar 2004
    Location
    Odessa, Ukraine
    Posts
    605
    not need upgrade, just need reconfigure kernel and enable this module...

  17. #17
    Quote Originally Posted by andreyka
    not need upgrade, just need reconfigure kernel and enable this module...
    Ok, now I get this one:

    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name

    [~]# lsmod
    Module Size Used by
    xt_state 6400 12
    xt_limit 6912 7
    ipt_TOS 6528 26
    iptable_mangle 7040 1
    ip_conntrack_ftp 11632 0
    ip_conntrack_irc 10992 0
    ip_conntrack 51552 3 xt_state,ip_conntrack_ftp,ip_conntrack_irc
    ipt_REJECT 9344 43
    ipt_LOG 10240 2
    parport_pc 30148 1
    lp 16584 0
    parport 38728 2 parport_pc,lp
    xt_tcpudp 7552 215
    iptable_filter 7168 1
    ip_tables 18004 2 iptable_mangle,iptable_filter
    x_tables 18180 7 xt_state,xt_limit,ipt_TOS,ipt_REJECT,ipt_LOG,xt_tcpudp,ip_tables
    autofs4 24708 0
    sunrpc 145468 1
    ipv6 243872 24
    I wish I was a carpenter

  18. #18
    Quote Originally Posted by TheSpidre
    Great thanks! What about this error?

    iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    Have you fixed this error ? I am having same problem after a kernel upgrade. Can you tell me how you fixed it ? Which option you have selected to get it fixed ?

  19. #19
    Join Date
    Mar 2004
    Location
    Odessa, Ukraine
    Posts
    605
    Check new options for firewall in kernel and enable it

  20. #20
    Quote Originally Posted by flashwebhost
    Have you fixed this error ? I am having same problem after a kernel upgrade. Can you tell me how you fixed it ? Which option you have selected to get it fixed ?
    Nope, no luck so far..

    Quote Originally Posted by andreyka
    Check new options for firewall in kernel and enable it
    I searched through menuconfig and included some more, but still getting the same thing..
    I wish I was a carpenter

  21. #21
    I too tried several times, but can't get it working. May be because of kernel newbie, if any one know the exact solution let us know

  22. #22
    As per error

    Perhaps iptables or your kernel needs to be upgraded.
    Can this due to iptables version mismatch ? Anyone upgraded iptables ? Any HOW-TO ?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •