-----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: 22 October 2009 21:39 To: Kedar Sovani; fedora-arm@redhat.com Subject: Re: [fedora-arm] Fedora-11 Status
On Tuesday 06 October 2009 04:45:33 am you wrote:
I was wondering if in the next kernel build if netfilter/iptables can be enabled?
We do not disable it.
The kernel build just picks the default fedora kernel
configuration and
merges the arch-specific ("config-arm" in our case)
exception file. This
file hasn't disabled iptables:
http://cvs.fedoraproject.org/viewvc/rpms/kernel/devel/config- arm?revision=
1.5
OK, I assumed it was not working because:
iptables-restore /etc/sysconfig/iptables FATAL: Could not load /lib/modules/2.6.30-00000- v2.6.30/modules.dep: No such file or directory iptables-restore v1.4.3.1: iptables-restore: unable to initialize table 'filter'
Error occurred at line: 3 Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Have you installed all the kernel modules for your kernel at install_root/lib/modules/<kernel_version> ?
May be it does not find the kernel modules to load?
Kedar.
I traced through the initscript and decided to just try iptables-restore by itself. The initscripts really want a loadable module. Anyways, based on your comment, I tried setting --modprobe=/bin/true to trick it. No luck. It doesn't complain about not being able to load the module anymore, but still fails at line 3. The firewall rules are simple:
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Running strace, it dies like this:
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 4 getsockopt(4, SOL_IP, 0x40 /* IP_??? */, 0xbeda7ee8, 0xbeda7ee0) = -1 ENOPROTOOPT (Protocol not available) close(4) = 0
-Steve