Re: Red Hat 7.2 and example firewall script

["Mike A. Harris" <mharris redhat com>]

On Sun, 2 Dec 2001, Stephan André Schmidt wrote:

>Thanks for your long and detailed answer. By using the word 'fix' I meant 
>not to compile ipchains support as a module but directly into the kernel. 
>Sorry if the question was not clear enough. I am not a native speaker.
>My problem is that my old ipchains firewall script does not work anymore 
>to some reason I do not know. It does not matter if I am using a Red Hat 
>supplied kernel or a kernel from www.kernel.org. Running 7.1, I built 
>ipchains support directly into the kernel and were able to use the 
>ipchains script without any problems. Trying to do this running 7.2 did 
>not work to some reason. After have built ipchains as a module running 7.2 
>and a RH supplied kernel (tried also 'pristine' source) it also did not 
>work. I have done a 'modprobe ipchains' before executing the ipchains 
>script.
>So my question is if there is someone out there using a 'home made' 
>ipchains script and can tell me how he got this working.
>
>I hope that I have described my situation now more exactly.

It is also important to realize that the ipchains program itself 
controls more than packet filtering.  It also controls ip 
masquerading with ipchains as well.  The 2.4.x kernel supports 
ipchains packet filtering, however IP masquerading support for 
ipchains is not complete.  If your ipchains scripts do IP 
masquerading it is highly recommended that you convert the 
scripts to use iptables instead.

To use ipchains for ip packet filtering, all you need to do with 
the supplied kernels is:

Run "ntsysv" and make sure that ipchains and iptables are *both* 
disabled.  Then either reboot, or make sure no iptables modules 
are loaded by using lsmod and rmmod.

Then:
modprobe ipchains
ipchains -A input .....

It should work.  The only thing that will prevent an ipchains 
command that is syntactically correct from working is if iptables 
support is loaded in memory, or if ipchains module is not loaded 
or the kernel doesn't have an ipchains module or builtin support.

If you're using the supplied kernels, it is guaranteed to work. 
If it does not, it is a misconfiguration of kernel modules or of 
the ipchains scripts you are using.  Hopefully we can 
troubleshoot it and get it going though.

Hope this helps.


-- 
----------------------------------------------------------------------
Mike A. Harris                  Shipping/mailing address:
OS Systems Engineer             190 Pittsburgh Ave., Sault Ste. Marie,
XFree86 maintainer              Ontario, Canada, P6C 5B3
Red Hat Inc.                    Phone: (705)949-2136
http://www.redhat.com           ftp://people.redhat.com/mharris
Red Hat XFree86 mailing list:   xfree86-list redhat com
General open IRC discussion:    #xfree86 on irc.openprojects.net
----------------------------------------------------------------------