cant use iptable extensions

Samuel Díaz García samueldg at arcoscom.com
Mon Sep 20 09:53:27 UTC 2004 

The connlimit extension (the owner extension I don't know) is not included 
in the kernel sources (as u can see in netfilter.org) because aren't stable 
"patches". 

I needed to do this: 

1) My kernel sources (2.4.x in my case, 2.6.x in your case).
2) Last version of patch-o-matic sources to netfilter.
3) IPTABLES sources.
4) See readme files in patch-o-matic sources for netfilter, it will patch 
the netfilter in kernel sources and iptables sources.
5) Apply the patches to kernel and iptables.
6) Configure your kernel with "experimental options" and compile.
7) Compile patched iptables.
8) Make a backup of your iptables binary before install the new patched 
iptables.
9) Test your new kernel and your new iptables before use it into a 
production environment. 

P.D.: Sorry for my poor english. 

Michael Schwendt writes: 

> On Mon, 20 Sep 2004 17:22:50 +0900 (JST), d l wrote: 
> 
>> I am using vanilla Fedora Core 2, without configuring
>> firewall in anaconda during initial install. 
>> 
>> Simple rules seems to works with built in modules. e.g. 
>> iptables -A INPUT -p ICMP -j DROP 
>> 
>> However when I tried to use extension modules like
>> <connlimit> and <owner>, iptables always gives me error. 
>> 
>> For <owner>:
>> iptables -m owner --help
>> .......
>> OWNER match v1.2.9 options:
>> [!] --uid-owner userid     Match local uid
>> [!] --gid-owner groupid    Match local gid
>> [!] --pid-owner processid  Match local pid
>> [!] --sid-owner sessionid  Match local sid
>> [!] --cmd-owner name       Match local command name 
>> 
>> # iptables -A INPUT -m owner --cmd-owner mlnet -j test
>> iptables: Invalid argument
> 
> It doesn't work like that. Read "man iptables" again. Why your command
> doesn't work is explained in the OWNER extension section. 
> 
>> And similar results with <connlimit> extension. 
>> 
>> There are corresponding so files in /lib/iptables for that
>> 2 extensions.
>> /lib/iptables/libipt_connlimit.so
>> /lib/iptables/libipt_owner.so
> 
> I don't see a netfilter connlimit kernel module, so that could mean
> it's neither built nor supported. In case the extension is included
> in the stock Linux kernel, that might be a package bug.
>  
> -- 
> Fedora Core release 2 (Tettnang) - Linux 2.6.7-1.494.2.2
> loadavg: 0.00 0.19 0.38 
> 
> 
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
 


Samuel Díaz Garcí­a
Director Gerente
ArcosCom Wireless, S.L.L. 

mailto:samueldg at arcoscom.com
http://www.arcoscom.com
móvil: 651 93 72 48
tlfn/fax: 956 70 13 15

More information about the fedora-list mailing list