Re: Arnos firewall script
thanks for the pionters.. problem solved, thanks to the input from this list and also from Arno himself... here's my reply to his post on the scripts own mailing list (for anyone interested):
Thanks for the suggestions. It pointed me in the the right direction.
I did some tracing through the script and looked at the modules in /lib/modules/2.4.18/kernel/net/ipv4/netfilter and it seemed in addition to the modules the script loads, there were three others which I needed to load as well: ipt_LOG.o, ipt_TOS.o, and ipt_TCPMSS.o
Loading these removed pretty much all the errors I was getting, oh and removing any mention to "-m limit --limit...", which I was informed in the Debian-sparc mailing list is needed due to a bug in the iptables implementation on that distro right now...
anyway, all was good except a couple mentions in your script to the nat table... it seems (or at least I think this is the case) that even though I've specified NAT=0, the script still has some references to the nat table (i.e. when flushing all rules) which causes iptables to throw an error message since the table doesn't exist/isn't loaded. I don't know if this is a bug or not, but I thought I'd let you know.
In my case, I'm not using the script on a gateway box, its a standalone machine and I liked the simplicity of the config on your script, so perhaps my particular case isn't one you intended the script for, anyway, everything goes smoothly if I set NAT=1, or load the iptable_nat module by default at the start of the script.
Thanks for the pointers and a great utility!
----- Original Message -----
From: firstname.lastname@example.org (Brian Campbell)
Date: Saturday, May 1, 2004 10:16 am
Subject: Re: Arnos firewall script
> On Sat, May 01, 2004 at 01:09:56AM +0200, Jan Houstek wrote:
> > On Fri, 30 Apr 2004, Jeff Adams wrote:
> > > Unfortunately, it looks like the limit module is broken for the
> > > ultrasparcs, so you'll need to remove/modify those line to
> remove the
> > > reference to the limit module.
> > Weird! Limit module (both kernel and userspace) work just fine
> on my
> > woody-running ultrasparcs. I use to compile kernels by my own
> due to some
> > security enhancements but I'm not aware of any changes against the
> > distribution kernel which would somehow influence the limit module
> > behaviour.
> I had the same problems with the limit module on an ultra1. It
> appearsto be an API issue:
> There's some discussion on the netfilter lists too. I've no idea
> why it
> would work for you though.
> To UNSUBSCRIBE, email to debian-sparc-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact