On Mon, 2007-11-12 at 23:35 -0500, Walter Dnes wrote: > On Sat, Nov 10, 2007 at 10:53:52AM -0600, Michael Sullivan wrote > > On Sat, 2007-11-10 at 15:40 +0200, Daniel Iliev wrote: > > > > > > I believe your problem comes from: > > > > > > # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set > > > > > > Build this module and try again. > > > > > This option isn't even available in my config. Should I add it? Will > > it work with the kernel I'm running (2.6.22-hardened-r8) > > I'm beginning to long for the good ole days of ipchains. Is it still > maintained? iptables has been scattered all over hell's-half-acre, and > you need to run around enabling things all over the place to make it > work. Here are some things enabled in my setup via "make menuconfig". > Note that this is just for filtering out the bad guys. I do not do any > masq/nat/mangling/etc with iptables. *IMPORTANT NOTE* you *MUST* enable > the item... "IPv4 connection tracking support (required for NAT)" in > order for state matching to work. I found this out "the hard way". > > Networking ---> > [*] Networking support > Networking options ---> > [*] Network packet filtering framework (Netfilter) ---> > Core Netfilter Configuration ---> > <*> Netfilter connection tracking support > --- Netfilter Xtables support (required for ip_tables) > <*> "CLASSIFY" target support > <*> "MARK" target support > <*> "NFQUEUE" target Support > < > "NFLOG" target support > < > "TCPMSS" target support > <*> "comment" match support > < > "connbytes" per-connection counter match support > < > "connmark" connection mark match support > < > "conntrack" connection tracking match support > <*> "DCCP" protocol match support > < > "DSCP" match support > < > "ESP" match support > < > "helper" match support > <*> "length" match support > <*> "limit" match support > <*> "mac" address match support > <*> "mark" match support > <*> Multiple port match support > <*> "pkttype" packet type match support > < > "quota" match support > <*> "realm" match support > <*> "sctp" protocol match support (EXPERIMENTAL) > <*> "state" match support > < > "statistic" match support > <*> "string" match support > > IP: Netfilter Configuration ---> > <*> IPv4 connection tracking support (required for NAT) > [*] proc/sysctl compatibility with old connection tracking > < > IP Userspace queueing via NETLINK (OBSOLETE) > <*> IP tables support (required for filtering/masq/NAT) > <*> IP range match support > <*> TOS match support > <*> recent match support > < > ECN match support > < > AH match support > <*> TTL match support > <*> Owner match support > <*> address type match support > <*> Packet filtering > <*> REJECT target support > <*> LOG target support > < > ULOG target support > < > Full NAT > < > Packet mangling > < > raw table support (required for NOTRACK/TRACE) > < > ARP tables support > > > > -- > Walter Dnes <[EMAIL PROTECTED]> In linux /sbin/init is Job #1 > Q. Mr. Ghandi, what do you think of Microsoft security? > A. I think it would be a good idea.
I agree, though ipchains was obsolete by the time I started using Linux. Couldn't we have some package in portage that builds the necessary modules for iptables, similar to the way I have to emerge ivtv every time I boot with a new kernel so that my TV card will work? -- [EMAIL PROTECTED] mailing list
