Linode Forum
https://forum.linode.com/

Errors starting arno-iptables-firewall on Debian 6 32-bit
https://forum.linode.com/viewtopic.php?f=19&t=7485		 Page 1 of 1
Author:  try4tune [ Sun Jul 31, 2011 4:14 am ]
Post subject:  Errors starting arno-iptables-firewall on Debian 6 32-bit
Hello,

I'm getting the following errors when trying to install arno-iptables-firewall on my Debian 6 (the same problem is on Ubuntu 11.04). I'm executing the following command:
Code:
aptitude install arno-iptables-firewall

Then I enter some configuration values, specify ports to open, and when it asks to restart firewall, the following errors appear:
Code:
E: Sub-process /usr/bin/dpkg returned an error code (1)
A package failed to install.  Trying to recover:
Setting up arno-iptables-firewall (1.9.2.k-4) ...
Restarting Arno's Iptables Firewall...
/sbin/modprobe ip_tables: Module not found! Assuming compiled-in-kernel!
WARNING: (1) Module(s) "nf_conntrack|ip_conntrack" failed to load. Assuming compiled-in-kernel!
WARNING: (1) Module(s) "nf_conntrack_ftp|ip_conntrack_ftp" failed to load. Assuming compiled-in-kernel!
WARNING: (1) Module(s) "xt_conntrack|ipt_conntrack" failed to load. Assuming compiled-in-kernel!
WARNING: (1) Module(s) "xt_limit|ipt_limit" failed to load. Assuming compiled-in-kernel!
WARNING: (1) Module(s) "xt_state|ipt_state" failed to load. Assuming compiled-in-kernel!
WARNING: (1) Module(s) "xt_multiport|ipt_multiport" failed to load. Assuming compiled-in-kernel!
/sbin/modprobe iptable_filter: Module not found! Assuming compiled-in-kernel!
/sbin/modprobe iptable_mangle: Module not found! Assuming compiled-in-kernel!
/sbin/modprobe ipt_REJECT: Module not found! Assuming compiled-in-kernel!
/sbin/modprobe ipt_LOG: Module not found! Assuming compiled-in-kernel!
WARNING: (1) Module(s) "xt_TCPMSS|ipt_TCPMSS" failed to load. Assuming compiled-in-kernel!
WARNING: (1) Module(s) "xt_DSCP|ipt_DSCP|ipt_TOS" failed to load. Assuming compiled-in-kernel!
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
/sbin/iptables: (1) iptables: No chain/target/match by that name.
Jul 31 09:10:44 WARNING: Not all firewall rules are applied.
FAILED!
invoke-rc.d: initscript arno-iptables-firewall, action "restart" failed.
dpkg: error processing arno-iptables-firewall (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 arno-iptables-firewall


Could anyone help me please to handle this situation? I used arno-iptables-firewall on Debian 5 previously, and it was running just fine.

Thanks!
Author:  try4tune [ Wed Aug 03, 2011 3:29 am ]
Post subject: 
Nobody knows? :(
Author:  theckman [ Wed Aug 03, 2011 3:39 am ]
Post subject: 
I don't believe the iptables modules are compiled in to the kernel. You'll need to obtain the kernel source for your Linode's kernel and compile the iptables modules against the headers.

You can check your kernel version by running:

Code:
uname -r


You can check http://www.linode.com/src for your kernel source. If it's not listed there, then we compiled that kernel from vanilla sources and you can snag the source from http://kernel.org/

You can also see what modules may be compiled in to the kernel:

Code:
zgrep -i "$module" /proc/config.gz

(replace $module with the module name)

You'll want to check these modules:

try4tune wrote:
Code:
WARNING: (1) Module(s) "nf_conntrack|ip_conntrack" failed to load. Assuming compiled-in-kernel! 
WARNING: (1) Module(s) "nf_conntrack_ftp|ip_conntrack_ftp" failed to load. Assuming compiled-in-kernel! 
WARNING: (1) Module(s) "xt_conntrack|ipt_conntrack" failed to load. Assuming compiled-in-kernel! 
WARNING: (1) Module(s) "xt_limit|ipt_limit" failed to load. Assuming compiled-in-kernel! 
WARNING: (1) Module(s) "xt_state|ipt_state" failed to load. Assuming compiled-in-kernel! 
WARNING: (1) Module(s) "xt_multiport|ipt_multiport" failed to load. Assuming compiled-in-kernel! 
/sbin/modprobe iptable_filter: Module not found! Assuming compiled-in-kernel! 
/sbin/modprobe iptable_mangle: Module not found! Assuming compiled-in-kernel! 
/sbin/modprobe ipt_REJECT: Module not found! Assuming compiled-in-kernel! 
/sbin/modprobe ipt_LOG: Module not found! Assuming compiled-in-kernel! 
WARNING: (1) Module(s) "xt_TCPMSS|ipt_TCPMSS" failed to load. Assuming compiled-in-kernel! 
WARNING: (1) Module(s) "xt_DSCP|ipt_DSCP|ipt_TOS" failed to load. Assuming compiled-in-kernel!


You'll then need to compile the ones not found.

-Tim

Edit: I believe arno is failing because it's assuming the modules are there when they actually aren't.
Author:  rsk [ Wed Aug 24, 2011 8:28 am ]
Post subject: 
If anyone's interested, there are two problems.
First, if you're usng a Linode kernel, you need to set MANGLE_TOS=0 in firewall conf. This is source of all those "chain not found" errors.
Second, if you're using a 3.0.0-kernel, the dashboard's "create modules.dep" option will create /lib/modules/3.0-linodeXX, not 3.0.0-linodeXX, which causes modprobe & co. to go crazy. I've just symlinked the directory for now.
Then, the "module not found, assuming compiled-in" lines are warnings, and can be disabled by COMPILED_IN_KERNEL_MESSAGES=0 in firewall.conf.
Yes, just "investigated" it... honestly, a matter of running the script under sh -x.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/