Re: no ipchains with 2.2/no network with 2.4

To: "Pierre A. Damas" <pierredamas@hotmail.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: no ipchains with 2.2/no network with 2.4
From: Rem <remy.harel@gmail.com>
Date: Wed, 5 Jan 2005 19:05:05 +0100
Message-id: <8434e622050105100526d823d6@mail.gmail.com>
Reply-to: Rem <remy.harel@gmail.com>
In-reply-to: <BAY18-F36C2E7D10F5FB8831CF11AAC920@phx.gbl>
References: <8434e622050105080523be31b3@mail.gmail.com> <BAY18-F36C2E7D10F5FB8831CF11AAC920@phx.gbl>

In fact, I would say that recompile a kernel is not very difficult,
really. You have some commands to know, some packages to install, and
it's allright.

 If you speak french, I have written a tutorial debian for newbie,
where I explain how to recompile a personnal kernel ( normal way and
debian way ) :

http://www.pcinpact.com/forum/index.php?showtopic=24097

 and a friend of mine has written another one where he explains the
differents options in the kernel configuration interface.

  Am I'm sure that there is a lot of good tutorials about recompiling
its own kernel.

  About iptables, I think the best you have to do is to download one
from another debian user, I could send you mine, which assumes
ipconntrack too. It run on a gateway with  Apache server. And if you
read french, I could send you a very good ( and simple ) how-to about
iptables. I haven't yet written my own tutorial about
iptables/ipconntrack.

   And don't forget : "Linux is user friendly, it's just very
selective about who his friends are."


 Rem

On Wed, 05 Jan 2005 18:26:56 +0100, Pierre A. Damas
<pierredamas@hotmail.com> wrote:
> Thanks Rem for your answer, but as you can expect, it doesn't help ;-)
> 
> > > Prerequisite: I don't want to compile my kernel myself (insmod
> > > should be sufficient), certainly not on that machine (which is my
> > > only linux).
> 
> I have of course nothing that would me make think that I am more
> able to rebuild a kernel than the debian person who created the
> kernel-image,
> and if I can reach his level (after reading a lot of documentation and
> trying a lot),
> nothing makes me believe that exactly the same problem would not occur...
> 
> Of course, I may have only a "weak" security (and once I have a better
> config,
> I'll ask you to run your thing to check it), but it is why I rely on
> knowledgable people
> building the kernels and modules for me and giving me good advice.
> 
> But for each domain I touch in my computer life, there is always a balance
> between the
> benefit I expect from it, and the time and effort I can invest.
> 
> If I need a database, I would use a distribution, although some advised
> postgres guru
> could say me that I should really take the sources and recompile it, to be
> more performant
> or more secure, or more ...
> 
> I think (I hope) I have a good 2.4 kernel, and with everything open in
> iptables (I want first to be sure that it works), I cannot connect to any
> network.
> 
> In fact, I think I have a very secure config ;-)
> 
> Thanks anyway for the time you took answering me...
> 
> Pierre A.
> 
> >From: Rem <remy.harel@gmail.com>
> >Reply-To: Rem <remy.harel@gmail.com>
> >To: "Pierre A. Damas" <pierredamas@hotmail.com>
> >Subject: Re: no ipchains with 2.2/no network with 2.4
> >Date: Wed, 5 Jan 2005 17:05:26 +0100
> >
> >  Hi,
> >
> >   I think you'd really better try to read a documentation and overall
> >recompile your own kernel ( it's very simple, maybe not the first
> >time, but after some tries, it's really easy ). You should recompile
> >the last 2.4 kernel for your server, and then learn basics about
> >iptables and make some good iptables rules, or find a good how-to or
> >script. Ask the firewall list for a base script.
> >
> >  Today, you'd probably have a very poor security. If you want to mail
> >me your @ip i could run a good nmap on it and tell you back if it's
> >secure or not. And by the way, you should use ipconntrack too, with
> >iptables, it's very important.
> >
> >  Rem
> >
> >
> >On Wed, 05 Jan 2005 16:53:10 +0100, Pierre A. Damas
> ><pierredamas@hotmail.com> wrote:
> > > Hello,
> > >
> > > I posted this also in firewall, but I think it can be installation
> >related,
> > > so I post it also in the plain user list.  Sorry for this cross posting,
> >but
> > > I don't know yet the frequentation of both lists and where the problem
> > > really belongs...
> > >
> > > I am fairly new to debian and firewalls, although I can read
> > > documentation ;-)
> > > I want to reuse an old machine to serve as firewall/proxy between
> > > two subnets (with Windows machines) (192.168.1.0 (internal) and
> > > 192.168.254.0 (dmz))
> > >
> > > In the dmz, the router acts as additional firewall for access to my
> > > ISP (gateway: 192.168.254.1)
> > >
> > > I installed my old Pentium-MMX 200 65Mb RAM, two network adapters
> > > (ne and 8139too).
> > > Prerequisite: I don't want to compile my kernel myself (insmod
> > > should be sufficient), certainly not on that machine (which is my
> > > only linux).
> > > I understood that ipfwadm is used for kernel 2.0, ipchains for 2.2
> > > and iptables for 2.4+.
> > >
> > > Since I installed the woody distribution, I am the happy owner of a
> > > kernel 2.2.
> > >
> > > In that config, the network works fine (from the server, I can ping
> > > the two subnets and access Internet).  I installed squid and
> > > everything is ok.
> > >
> > > I would like to use ipchains, but it is "not supported in this
> > > Kernel", so I searched everywhere to find an ipchains.o module to
> > > insmod for 2.2 (I found for 2.4).  In which package would it be ?
> > >
> > > ...
> > >
> > > As an alternative, I installed the kernel 2.4.  There, iptables is
> > > correctly configured, with ACCEPT policies by default.  But in this
> > > config, the network doesn't work.  I checked with ifconfig, and
> > > ensured that eth0 and eth1 are up (and it is the case), but I cannot
> > > ping any other machine than the server itself on both subnets, and
> > > of course cannot access internet.
> > >
> > > Iptables seems to be out of cause, since if I halt it, my ping
> > > requests are correctly rejected with a message, instead of
> > > "hanging"...
> > >
> > > For the rest, the network config is exactly the same as the one
> > > defined for kernel 2.2.  But maybe there are changes in the network
> > > between these two versions ?
> > >
> > > So, my two questions:
> > >
> > > a) where is ipchains.o for the kernel 2.2 ?
> > > and/or
> > > b) what component, installed by default in the
> > > kernel-image-2.4.16-586, could be the cause of my network blockage ?
> > >
> > > I invested more than 20 hours to read all google mailing-lists
> > > information, firewall how-tos, etc., so a view on the problem by a
> > > fresh mind would be appreciated...
> > >
> > > Thanks,
> > > Pierre A.
> > >
> > > _________________________________________________________________
> > > Try MSN Messenger 7.0 beta http://messenger.msn.be/beta
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> >listmaster@lists.debian.org
> > >
> > >
> >
> >
> >--
> >Remy HAREL - remy.harel@gmail.com
> >Linux Registered User #224740
> >http://remyharel.homelinux.com
> 
> _________________________________________________________________
> Free e-mail? Try MSN Hotmail ! http://www.hotmail.com
> 
> 


-- 
Remy HAREL - remy.harel@gmail.com
Linux Registered User #224740
http://remyharel.homelinux.com

Reply to:

Follow-Ups:
- Re: no ipchains with 2.2/no network with 2.4
  - From: "Pierre A. Damas" <pierredamas@hotmail.com>

References:
- Re: no ipchains with 2.2/no network with 2.4
  - From: "Pierre A. Damas" <pierredamas@hotmail.com>

Prev by Date: Re: no ipchains with 2.2/no network with 2.4
Next by Date: Re: ipfilter on debian
Previous by thread: Re: no ipchains with 2.2/no network with 2.4
Next by thread: Re: no ipchains with 2.2/no network with 2.4
Index(es):
- Date
- Thread