Re: Iptables FW under 2.4.0-test11
>>>>> "GM" == Giacomo Mulas <gmulas@ca.astro.it> writes:
GM> Yes, but be careful: plain test12 has a bug in netfilter code
GM> that causes it to instantly crash upon receiving a fragmented
GM> packet, if using conntrack (i.e. native 2.4 stateful
GM> firewalling). A patch surfaced in linux-kernel that appears to
GM> fix this. Therefore, while you do need to move away quickly from
GM> test11 as it eats ext2 filesystems, you probably should do one
GM> of the following two things:
GM>
GM> 1) go back to a version **before** test11 that works well for
GM> you (perhaps test10?) 2) or browse the linux-kernel archives,
GM> find the patch for the bug in the netfilter, apply that to
GM> test12 and use that.
GM>
GM> If you use iptables with stateful connection tracking on a plain
GM> test12 kernel (without the fix), a single large ping, or trying
GM> to do anything related to NFS will instantly kill your
GM> computer...
GM>
What iptables config option causes this problem ? I have just gotten
iptables up and running, and currently am only using it for NAT. Haven't
gotten around to setting up filtering rules, etc.
But before I go looking for the patch that fixes this bug, I'd like to
know which kernel config option if compiled-in or modularized,
'activates' the bug ?
Here are the NetFilter options from my .config file:
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_NETLINK=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
# CONFIG_IP_MULTICAST is not set
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set
CONFIG_SYN_COOKIES=y
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_LIMIT is not set
# CONFIG_IP_NF_MATCH_MAC is not set
# CONFIG_IP_NF_MATCH_MARK is not set
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_STATE is not set
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
# CONFIG_IP_NF_MANGLE is not set
CONFIG_IP_NF_TARGET_LOG=y
A couple of questions on iptables in Debian:
(1) is there any package in Debian that automatically sets up NAT the
way ipmasq did for 2.2.x kernels ?
(2) where do I put my NAT and filtering rules ?
Thanks.
--
Salman Ahmed
ssahmed AT pathcom DOT com
Reply to: