Patch-o-matic help

Patch-o-matic help

[System Administrator]

anybody arround that can assist a new iptables administrator--I 
Hope..............

I have iptable 1.26 setup on a Redhat 8 server.  This server also needs to 
function as a PPTP VPN server.  It appears that PoPToP is the only reasonable 
way to acomplish that.  I can get PoTPoP to work but I am told that I need to 
be able to pass GRE packets.
  It looks like there is a patch to do this but requires patch-o-matic.  
Looking at the README, it looks like I run a command called runme.  and then 
recompile the Kernel.
  I'm yet to go through the recompile.  Anybody willing to help the 
inexperienced become experienced?

Thanks (in advance)
-- 
Leon Sonntag

DROP command

[Remus]

Hi folks,

I have a Linux box firewall (iptables 1.2.7a) with NAT/MASQUERADING.
How I can block all local network access to my firewall excluding some local
IP addresses?
I tried these command but it doesn't work:

/usr/local/sbin/iptables -A INPUT -i eth2 -s 10.105.105.0/24 -j DROP
/usr/local/sbin/iptables -A INPUT -i eth2 -s 10.105.105.20 -j ACCEPT

Thank you in advance

Remus

Re: Patch-o-matic help

[Chris Wilson]

Hello, Mr Administrator,

> I have iptable 1.26 setup on a Redhat 8 server.  This server also needs to 
> function as a PPTP VPN server.  It appears that PoPToP is the only reasonable 
> way to acomplish that.  I can get PoTPoP to work but I am told that I need to 
> be able to pass GRE packets.
>   It looks like there is a patch to do this but requires patch-o-matic.  
> Looking at the README, it looks like I run a command called runme.  and then 
> recompile the Kernel.
>   I'm yet to go through the recompile.  Anybody willing to help the 
> inexperienced become experienced?

You don't need any patch-o-matic, the functionality is built into iptables
since long ago. You just need to allow in Protocol 47 (GRE) as well as TCP
port 1723 (PPTP control channel). So the following rules should do it:

iptables -I INPUT -i <external-interface> -p tcp --dport 1723 -j ACCEPT
iptables -I INPUT -i <external-interface> -p 47               -j ACCEPT

If you only need connections from certain IP addresses, then you can 
narrow this down in order to protect your PPTP server from intruders.

By the way, if you make a custom kernel with the PPTP NAT patch, then it 
may cause problems with running a PPTP server on the same machine (at 
least, I saw this in one case, but I didn't build that kernel so I don't 
know exactly which patch was used).

Cheers, Chris.
--
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

RE: Patch-o-matic help

[Rob Sterenborg]

> By the way, if you make a custom kernel with the PPTP NAT 
> patch, then it 
> may cause problems with running a PPTP server on the same machine (at 
> least, I saw this in one case, but I didn't build that kernel 
> so I don't 
> know exactly which patch was used).

I have seen this happening too with kernels I built myself.

http://www.netfilter.org/documentation/pomlist/pom-extra.html#pptp-connt
rack-nat :
----
Note that this code currently has limitations
- can only NAT connections from PNS to PAC
- doesnt' support multiple calls within one session
----

So, what I think I should read here is that it isn't needed (read : you
should not use) if you have Poptop running on the same box as iptables
as no conntrack or nat is needed. (Correct me if I'm wrong, but that is
my experience..)

OTOH, if you have pptp clients (*not* a server) behind iptables then you
should only use ip_conntrack_pptp.
When you have this setup, don't load ip_nat_pptp because you won't be
able to connect to Poptop anymore.
In my case ; when I don't load ip_conntrack_pptp then sometimes I can
connect to Poptop and sometimes not. With ip_conntrack_pptp this
behaviour is solved.


Rob

patch-o-matic help

[Noman Liaquat]

I am using kernel

Operating system=REDHAT ENTERPRISE LINUX#ES
kernel= linux-2.6.14.4
iptables=iptables-1.3.2

i downloaded the patch-o-matic
svn co
https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng

i tried 10 times after patching the kernel with
patch-matic, but getting the same error. 

why

---------------------------------ERROR---------------------------------
scripts/Makefile.build:51: kbuild:
net/ipv4/netfilter/Makefile - Usage of export-objs is
obsolete in 2.6. Please fix!
  CC [M]  net/ipv4/netfilter/ip_conntrack_standalone.o
In file included from
include/linux/netfilter_ipv4/ip_conntrack.h:157,
                 from
net/ipv4/netfilter/ip_conntrack_standalone.c:34:
include/linux/netfilter_ipv4/ip_conntrack_talk.h:7:43:
linux/netfilter_ipv4/lockhelp.h: No such file or
directory
In file included from
include/linux/netfilter_ipv4/ip_conntrack.h:157,
                 from
net/ipv4/netfilter/ip_conntrack_standalone.c:34:
include/linux/netfilter_ipv4/ip_conntrack_talk.h:10:
warning: type defaults to `int' in declaration of
`DECLARE_LOCK_EXTERN'
include/linux/netfilter_ipv4/ip_conntrack_talk.h:10:
warning: parameter names (without types) in function
declaration
include/linux/netfilter_ipv4/ip_conntrack_talk.h:10:
warning: data definition has no type or storage class
make[3]: ***
[net/ipv4/netfilter/ip_conntrack_standalone.o] Error 1
make[2]: *** [net/ipv4/netfilter] Error 2
make[1]: *** [net/ipv4] Error 2
make: *** [net] Error 2
---------------------------------ERROR---------------------------------

Regards
Khan


		
__________________________________________ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com 

Re: patch-o-matic help

[Noman Liaquat]

Now after compilation of all things. i am getting this
error. what that means my kernel is not compiled
properly or my iptables have some problem



[root@mail iptables-1.3.4]# iptables -A INPUT -p tcp
-m string --string "/bin/sh" -j DROP iptables v1.3.4:
STRING match: You must specify `--algo'
Try `iptables -h' or 'iptables --help' for more
information.

Regards
khan
--- Noman Liaquat <khankhn1@yahoo.com> wrote:

> 
> I am using kernel
> 
> Operating system=REDHAT ENTERPRISE LINUX#ES
> kernel= linux-2.6.14.4
> iptables=iptables-1.3.2
> 
> i downloaded the patch-o-matic
> svn co
>
https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
> 
> i tried 10 times after patching the kernel with
> patch-matic, but getting the same error. 
> 
> why
> 
>
---------------------------------ERROR---------------------------------
> scripts/Makefile.build:51: kbuild:
> net/ipv4/netfilter/Makefile - Usage of export-objs
> is
> obsolete in 2.6. Please fix!
>   CC [M] 
> net/ipv4/netfilter/ip_conntrack_standalone.o
> In file included from
> include/linux/netfilter_ipv4/ip_conntrack.h:157,
>                  from
> net/ipv4/netfilter/ip_conntrack_standalone.c:34:
>
include/linux/netfilter_ipv4/ip_conntrack_talk.h:7:43:
> linux/netfilter_ipv4/lockhelp.h: No such file or
> directory
> In file included from
> include/linux/netfilter_ipv4/ip_conntrack.h:157,
>                  from
> net/ipv4/netfilter/ip_conntrack_standalone.c:34:
> include/linux/netfilter_ipv4/ip_conntrack_talk.h:10:
> warning: type defaults to `int' in declaration of
> `DECLARE_LOCK_EXTERN'
> include/linux/netfilter_ipv4/ip_conntrack_talk.h:10:
> warning: parameter names (without types) in function
> declaration
> include/linux/netfilter_ipv4/ip_conntrack_talk.h:10:
> warning: data definition has no type or storage
> class
> make[3]: ***
> [net/ipv4/netfilter/ip_conntrack_standalone.o] Error
> 1
> make[2]: *** [net/ipv4/netfilter] Error 2
> make[1]: *** [net/ipv4] Error 2
> make: *** [net] Error 2
>
---------------------------------ERROR---------------------------------
> 
> Regards
> Khan
> 
> 
> 		
> __________________________________________ 
> Yahoo! DSL – Something to write home about. 
> Just $16.99/mo. or less. 
> dsl.yahoo.com 
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: patch-o-matic help

[Jozsef Kadlecsik]

On Thu, 22 Dec 2005, Noman Liaquat wrote:

> Operating system=REDHAT ENTERPRISE LINUX#ES
> kernel= linux-2.6.14.4
> iptables=iptables-1.3.2
>
> i downloaded the patch-o-matic
> svn co
> https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
>
> i tried 10 times after patching the kernel with
> patch-matic, but getting the same error.
[...]
> ---------------------------------ERROR---------------------------------
> scripts/Makefile.build:51: kbuild:
> net/ipv4/netfilter/Makefile - Usage of export-objs is
> obsolete in 2.6. Please fix!
>   CC [M]  net/ipv4/netfilter/ip_conntrack_standalone.o
> In file included from
> include/linux/netfilter_ipv4/ip_conntrack.h:157,
>                  from
> net/ipv4/netfilter/ip_conntrack_standalone.c:34:
> include/linux/netfilter_ipv4/ip_conntrack_talk.h:7:43:

Do you really need the conntrack/nat helper for talk?

If not, simply do not apply the patch from pom-ng or do not select the
helper when configuring the kernel.

The talk helper in pom-ng is a relic and hasn't been updated for a long
time.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary