[TriLUG] Debian woody and ipchains/iptables

David Rasch rasch at raschnet.com
Sun Oct 31 08:37:52 EST 2004 

Tom Bryan wrote:

>Hi, all.  I'm back to trying Debian again.  The good news is that I made more 
>progress this time.  I grabbed one of the mini-CD images listed on 
>http://www.debian.org/CD/netinst/, and it configured my network card from 
>DHCP and let me use tasksel to get a decent system installed.
>
>Now, I run no services that I want others to see, so the first thing that I 
>want to do is put up a ipchains or iptables firewall that basically drops 
>anything incoming that's not a response to one of my requests (DHCP, DNS, 
>HTTP, FTP, POP, or IMAP-SSL to machines outside my network).  I also plan to 
>use this box as a firewall doing NAT for the rest of my network.
>
>The Debian Woody box runs, boots, and seems to function.  My first step after 
>initial software installation was to check what my firewall rulelist looked 
>like.  Since the install gave me a 2.2 kernel, I tried ipchains -L.  I got an 
>error message saying that ipchains was not compatible with my kernel.  I 
>noticed that iptables was also installed.  So, I tried running iptables -L, 
>hoping that Debian simply installed a 2.2 kernel with whatever it needed for 
>iptables instead of ipchains.  Nope.  I get an error saying
>
>"modprobe: Can't locate module ip_tables
>iptables v1.2.11: can't initialize iptables table `filter': iptables who?
>(do you need to insmod?)
>Perhaps iptables or your kernel needs to be upgraded."
>
>For this machine, ipchains would be fine with me, but when I go looking for 
>information on this topic, I keep finding instructions about how to upgrade 
>my woody kernel to 2.4 so that I can use iptables.  That sounds like more 
>work than I really want to do at the moment.  
>
>Has anyone hit this problem with a fresh Debian Woody install?
>  
>
It's very likely that you copied the kernel from your installation 
medium, which is intentionally a bit of stripped down kernel so that it 
can optimize the space on the installation disks.  If ipchains is 
sufficient, I'd recommend installing a 2.2 kernel using apt-get.  
"apt-get install kernel-image-2.2.20".  You can do a search for all 
available 2.2 kernels with: "apt-cache search kernel-image-2.2".   I'd 
be extremely suprised if these kernels don't contain ipchains support, 
but you might have to load a module to enable the support.  I honestly 
don't remember as it's been quite a while since using a 2.2 kernel on 
debian for me.

If you're willing to go with a 2.4 kernel, then follow Criumsun's advice 
for the setup.  I also highly recommend Shorewall with a 2.4 kernel.

Best of luck,
David

More information about the TriLUG mailing list