* need help with ipset
@ 2006-09-11 2:39 Mike Wright
2006-09-14 6:58 ` Jozsef Kadlecsik
0 siblings, 1 reply; 8+ messages in thread
From: Mike Wright @ 2006-09-11 2:39 UTC (permalink / raw)
To: netfilter
Hi netfilter users,
Trying to use ipset but having no joy.
O/S is Fedora Core 4, kernel is linux-2.6.16-xen.
I'm using the instructions from ipset.netfilter.net/install.html.
Kernel readied, patch applied, kernel built, iptables built, ipset
built, no errors reported. Only issue was that everything wanted to
install into /usr/local. The Makefile was changed to use this:
PREFIX:=/
LIBDIR:=$(PREFIX)/lib
BINDIR:=$(PREFIX)/sbin
MANDIR:=$(PREFIX)/usr/share/man
INCDIR:=$(PREFIX)/usr/include
I've built and installed the libipset*.so modules into both
/lib/iptables and /lib/ipset.
When iptables is started it reports v1.3.5 and seems to work with my
previous iptables rules.
Trying to create a set:
"ipset -N TEST iphash" fails with:
ipset v2.2.9: Error from kernel: Protocol not available
On google I found a user with that error, but said he had success once
he loaded the module (didn't say how he did it though). Reading man
iptables says that modules will be loaded implicitly by specifying a
protocol, i.e -p tcp,etc or explicitly by specifying a -m "module", so I
tried this:
"iptables -A INPUT -m set --set TEST dst -j ACCEPT" and got
"iptables v1.3.5: Problem when communicating with ipset, errno=92"
(errno=92 is ENOPROTOOPT /* protocol not supported */)
Here are my kernel configs for ipset:
<M> IP set support
(256) Maximum number of IP sets
(1024) Hash size for bindings of IP sets
< > ipmap set support
< > macipmap set support
< > portmap set support
<M> iphash set support
< > nethash set support
< > ipporthash set support
< > iptree set support
<M> set match support
<M> SET target support
Docs are pretty sparse on this, so it could very well be PEBCAK.
Any help would be very appreciated.
Thanks,
Mike Wright :m)
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: need help with ipset
2006-09-11 2:39 need help with ipset Mike Wright
@ 2006-09-14 6:58 ` Jozsef Kadlecsik
2006-09-15 16:29 ` Mike Wright
0 siblings, 1 reply; 8+ messages in thread
From: Jozsef Kadlecsik @ 2006-09-14 6:58 UTC (permalink / raw)
To: Mike Wright; +Cc: netfilter
On Sun, 10 Sep 2006, Mike Wright wrote:
> Trying to create a set:
> "ipset -N TEST iphash" fails with:
> ipset v2.2.9: Error from kernel: Protocol not available
The ipset binary isn't smart enough to autoload the ip_set kernel module,
you need to load it manually (or via /etc/modules at system boot time):
# modprobe ip_set
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: need help with ipset
2006-09-14 6:58 ` Jozsef Kadlecsik
@ 2006-09-15 16:29 ` Mike Wright
2006-09-15 16:36 ` Mr Ritter
2006-09-20 16:20 ` need help with ipset [SOLVED] Mike Wright
0 siblings, 2 replies; 8+ messages in thread
From: Mike Wright @ 2006-09-15 16:29 UTC (permalink / raw)
To: netfilter
Jozsef Kadlecsik wrote:
> On Sun, 10 Sep 2006, Mike Wright wrote:
>
>> Trying to create a set:
>> "ipset -N TEST iphash" fails with:
>> ipset v2.2.9: Error from kernel: Protocol not available
>
>
>
> The ipset binary isn't smart enough to autoload the ip_set kernel module,
> you need to load it manually (or via /etc/modules at system boot time):
>
> # modprobe ip_set
>
Thanks Jozsef. (Sorry for private reply. Meant to reply to the list.)
That worked. Also had to modprobe ip_set_iphash.
Still can't get iptables to recognize my set. Can't find which step
I've missed. Here's the ipset -L
Name: BADIPS
Type: iphash
References: 0
Default binding:
Header: hashsize: 1024 probes: 8 resize: 50
Members:
3.4.5.6
2.3.4.5
1.2.3.4
Bindings:
...and modules
lsmod |grep ip_set
ip_set_iphash 8164 1
ip_set 20828 2 ip_set_iphash
Now I want to add a rule to iptables.
"iptables -A INPUT -m set --set BADIPS src -j DROP"
But it errs with
"iptables: No chain/target/match by that name"
It seems that iptables does not know about BADIPS? <Grasping />
If anyone knows what is missing I would sure appreciate the help :)
Thanks,
Mike Wright
> Best regards,
> Jozsef
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: need help with ipset
2006-09-15 16:29 ` Mike Wright
@ 2006-09-15 16:36 ` Mr Ritter
2006-09-15 16:46 ` Mike Wright
2006-09-20 16:20 ` need help with ipset [SOLVED] Mike Wright
1 sibling, 1 reply; 8+ messages in thread
From: Mr Ritter @ 2006-09-15 16:36 UTC (permalink / raw)
To: Mike Wright; +Cc: netfilter
Mike Wright wrote:
> Now I want to add a rule to iptables.
>
> "iptables -A INPUT -m set --set BADIPS src -j DROP"
How about:
iptables -t filter -A INPUT -m set --set BADIPS src -j DROP
--
Ritter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: need help with ipset
2006-09-15 16:36 ` Mr Ritter
@ 2006-09-15 16:46 ` Mike Wright
2006-09-18 12:11 ` iptables - port forwarding in LAN Snehasis Sinha
0 siblings, 1 reply; 8+ messages in thread
From: Mike Wright @ 2006-09-15 16:46 UTC (permalink / raw)
To: netfilter
Mr Ritter wrote:
> Mike Wright wrote:
>
>> Now I want to add a rule to iptables.
>>
>> "iptables -A INPUT -m set --set BADIPS src -j DROP"
>
>
> How about:
>
> iptables -t filter -A INPUT -m set --set BADIPS src -j DROP
>
Thanks for the reply. No joy. Also tried specifying a protocol
thinking it might require one but that had no effect either. Other
insights?
:m)
>
> --
> Ritter
>
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* iptables - port forwarding in LAN
2006-09-15 16:46 ` Mike Wright
@ 2006-09-18 12:11 ` Snehasis Sinha
0 siblings, 0 replies; 8+ messages in thread
From: Snehasis Sinha @ 2006-09-18 12:11 UTC (permalink / raw)
To: netfilter
Hi,
I am trying to port forward in a closed (not connected to real internet or outside network) network (LAN) to a machine; but could not do it successfully. the senerio is:
I have a host_a (10.5.1.100), host_b (10.5.1.200) and host_c (10.5.1.150) connected among themselves. from host_c i am accessing http service at host_a using http://10.5.1.100:80. I can access tomcat server using http://10.5.1.200:8080, from host_c. now I want to use http://10.5.1.100:80 to access 10.5.1.200:8080 from the same host (host_c), ie. all http requests targetted to 10.5.1.100:80 should be redirected to 10.5.1.200:8080, so that pages from host_b:8080 comes to host_c but appear to come from host_a:80
how to do that using iptables. please advise.
thanks in advance
-snehasis
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: need help with ipset [SOLVED]
2006-09-15 16:29 ` Mike Wright
2006-09-15 16:36 ` Mr Ritter
@ 2006-09-20 16:20 ` Mike Wright
1 sibling, 0 replies; 8+ messages in thread
From: Mike Wright @ 2006-09-20 16:20 UTC (permalink / raw)
To: netfilter
> Now I want to add a rule to iptables.
>
> "iptables -A INPUT -m set --set BADIPS src -j DROP"
>
> But it errs with
>
> "iptables: No chain/target/match by that name"
>
> It seems that iptables does not know about BADIPS? <Grasping />
Sorry for the noise. This was not an ipset problem. It was operator
error. My kernel modules got out of sync. There is a BIG difference
between "make modules install" and "make modules_install".
Thanks for the ipset module, Jozsef. It replaced a really UGLY iptables
ruleset with a very elegant one line solution.
:m)
^ permalink raw reply [flat|nested] 8+ messages in thread
* need help with ipset
@ 2006-09-10 18:14 Mike Wright
0 siblings, 0 replies; 8+ messages in thread
From: Mike Wright @ 2006-09-10 18:14 UTC (permalink / raw)
To: netfilter
Hi netfilter users,
Trying to use ipset but having no joy.
O/S is Fedora Core 4, kernel is linux-2.6.16-xen.
I'm using the instructions from ipset.netfilter.net/install.html.
Kernel readied, patch applied, kernel built, iptables built, ipset
built, no errors reported. Only issue was that everything wanted to
install into /usr/local. The Makefile was changed to use this:
PREFIX:=/
LIBDIR:=$(PREFIX)/lib
BINDIR:=$(PREFIX)/sbin
MANDIR:=$(PREFIX)/usr/share/man
INCDIR:=$(PREFIX)/usr/include
I've built and installed the libipset*.so modules into both
/lib/iptables and /lib/ipset.
When iptables is started it reports v1.3.5 and seems to work with my
previous iptables rules.
Trying to create a set:
"ipset -N TEST iphash" fails with:
ipset v2.2.9: Error from kernel: Protocol not available
On google I found a user with that error, but said he had success once
he loaded the module (didn't say how he did it though). Reading man
iptables says that modules will be loaded implicitly by specifying a
protocol, i.e -p tcp,etc or explicitly by specifying a -m "module", so I
tried this:
"iptables -A INPUT -m set --set TEST dst -j ACCEPT" and got
"iptables v1.3.5: Problem when communicating with ipset, errno=92"
(errno=92 is ENOPROTOOPT /* protocol not supported */)
Here are my kernel configs for ipset:
<M> IP set support
(256)
Maximum number of IP sets
(1024) Hash size
for bindings of IP sets
< > ipmap set support
< > macipmap set support
< > portmap set support
<M> iphash set support
< > nethash set support
< >
ipporthash set support
< > iptree set
support
<M> set match support
<M> SET target support
Docs are pretty sparse on this, so it could very well be PEBCAK.
Any help would be very appreciated.
Thanks,
Mike Wright :m)
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2006-09-20 16:20 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-11 2:39 need help with ipset Mike Wright
2006-09-14 6:58 ` Jozsef Kadlecsik
2006-09-15 16:29 ` Mike Wright
2006-09-15 16:36 ` Mr Ritter
2006-09-15 16:46 ` Mike Wright
2006-09-18 12:11 ` iptables - port forwarding in LAN Snehasis Sinha
2006-09-20 16:20 ` need help with ipset [SOLVED] Mike Wright
-- strict thread matches above, loose matches on Subject: below --
2006-09-10 18:14 need help with ipset Mike Wright
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.