iptables 'make' killed my box

iptables 'make' killed my box

[Scott Gaertner]

Hello,

I tried to build iptables 1.2.8 today, and failed miserably.  My system 
is Debian Linux - 2.4.18-c3 kernel, i686.

I downloaded the package, entered the directory, typed "make 
KERNEL_DIR=/usr/src/kernel-source-2.4.18/", and after a listing of 
found extensions, I lost connection to the box.  (Complete transcript 
at end of message).  I can no longer even ping any address on that 
network. (The machine was acting as a router as well).

I am trying to get physical access to the machine, and when (if) I get 
it, my time there will be extremely limited.  I would *greatly* 
appreciate any suggestions along the following lines --

- Could the 'make' command alone have killed my box, or must it have 
been a coincidence?

- If it was iptables, can anyone give me a hint as to how to reverse 
the effects as efficiently and quickly as possible?

- Alternatively, is this normal behavior, and do I just need to 
complete the install and open up traffic?

Any help would be appreciated -- I was acting quickly to block an 
influx of spam, and my actions have affected a lot of people.

Thank you in advance,

-Scott Gaertner
  scott@caffeinemediainc.com
  917-495-4276


% /usr/src# bzip2 -d iptables-1.2.8.tar.bz2
% /usr/src# tar -xf iptables-1.2.8.tar
% /usr/src# cd iptables-1.2.8
% /usr/src/iptables-1.2.8# make 
KERNEL_DIR=/usr/src/kernel-source-2.4.18/
Making dependencies: please wait...
Extensions found:
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_ah_sh.o -c extensions/libipt_ah.c
ld -shared -o extensions/libipt_ah.so extensions/libipt_ah_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_conntrack_sh.o -c extensions/libipt_conntrack.c
ld -shared -o extensions/libipt_conntrack.so 
extensions/libipt_conntrack_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_dscp_sh.o -c extensions/libipt_dscp.c
extensions/libipt_dscp_helper.c:69: warning: `dscp_to_name' defined but 
not used
ld -shared -o extensions/libipt_dscp.so extensions/libipt_dscp_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_ecn_sh.o -c extensions/libipt_ecn.c
ld -shared -o extensions/libipt_ecn.so extensions/libipt_ecn_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_esp_sh.o -c extensions/libipt_esp.c
ld -shared -o extensions/libipt_esp.so extensions/libipt_esp_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_helper_sh.o -c extensions/libipt_helper.c
ld -shared -o extensions/libipt_helper.so extensions/libipt_helper_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_icmp_sh.o -c extensions/libipt_icmp.c
ld -shared -o extensions/libipt_icmp.so extensions/libipt_icmp_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_iplimit_sh.o -c extensions/libipt_iplimit.c
ld -shared -o extensions/libipt_iplimit.so 
extensions/libipt_iplimit_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_length_sh.o -c extensions/libipt_length.c
ld -shared -o extensions/libipt_length.so extensions/libipt_length_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_limit_sh.o -c extensions/libipt_limit.c
ld -shared -o extensions/libipt_limit.so extensions/libipt_limit_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_mac_sh.o -c extensions/libipt_mac.c
ld -shared -o extensions/libipt_mac.so extensions/libipt_mac_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_mark_sh.o -c extensions/libipt_mark.c
ld -shared -o extensions/libipt_mark.so extensions/libipt_mark_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_multiport_sh.o -c extensions/libipt_multiport.c
ld -shared -o extensions/libipt_multiport.so 
extensions/libipt_multiport_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_owner_sh.o -c extensions/libipt_owner.c
ld -shared -o extensions/libipt_owner.so extensions/libipt_owner_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_physdev_sh.o -c extensions/libipt_physdev.c
ld -shared -o extensions/libipt_physdev.so 
extensions/libipt_physdev_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_pkttype_sh.o -c extensions/libipt_pkttype.c
ld -shared -o extensions/libipt_pkttype.so 
extensions/libipt_pkttype_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_rpc_sh.o -c extensions/libipt_rpc.c
ld -shared -o extensions/libipt_rpc.so extensions/libipt_rpc_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel-source-2.4.18//include 
-Iinclude/ -DIPTABLES_VERSION=\"1.2.8\"  -fPIC -o 
extensions/libipt_standard_sh.o -c extensions/libipt_standard.c

Re: iptables 'make' killed my box

[Scott Gaertner]

Nathan & Jamie,

Thanks for your responses -- I'm not convinced it was iptables either 
-- I've never seen a crash during a 'make' either -- but that's when it 
happened.  It could have been someone carelessly watering plants as far 
as I know.. :)

I reached the guy who's the normal sysadmin (who can't help today), and 
he thinks that it's *possible* that the make started probing kernel 
modules, and that's what did it.

It's a fairly vanilla Debian box... not overclocked... the only quirky 
module is mod_perl...

Anyway, I just arranged to get keys -- I'm heading over now, and I'll 
post a followup as soon as I can.

Thanks again,

-Scott

Re: iptables 'make' killed my box

[Jamie Pratt]

 > Scott Gaertner wrote:
> Nathan & Jamie,
> 
> I reached the guy who's the normal sysadmin (who can't help today), and 
> he thinks that it's *possible* that the make started probing kernel 
> modules, and that's what did it.

Can anyone verify if indeed the 'make' command for netfilter "probes" 
running modules?? (I would tend to think not, but...)

> It's a fairly vanilla Debian box... not overclocked... the only quirky 
> module is mod_perl...
> 
> Anyway, I just arranged to get keys -- I'm heading over now, and I'll 
> post a followup as soon as I can.
> 
> Thanks again,
> 
> -Scott

jamie

RE: iptables 'make' killed my box

[Daniel Chemko]

>Can anyone verify if indeed the 'make' command for netfilter "probes" 
>running modules?? (I would tend to think not, but...)

Considering that I usually build iptables against a kernel that isn't
even loaded yet, I seriously doubt that the compile probes the running
system.

Have you reproduced the make and found it reproducible?

Re: iptables 'make' killed my box

[Arnt Karlsen]

On Mon, 25 Aug 2003 14:18:19 -0400, 
Scott Gaertner <scott@caffeinemediainc.com> wrote in message 
<812338CA-D728-11D7-B488-000393DB0944@caffeinemediainc.com>:

> Hello,
> 
> I tried to build iptables 1.2.8 today, and failed miserably.  My
> system is Debian Linux - 2.4.18-c3 kernel, i686.

..I would think you want 2.4.21 and possibly pom, to go with 1.2.8.

..and your transcript smells like a kernel panic or a power surge or 
somesuch, I don't see anything bad in what you have posted here.

..kernel panic hint;  toss in an "append="panic 20" or somesuch, to 
your boot loader and cli and (which file?) in /proc, to avoid further 
such embarrasment, "panic 20" reboots the box in 20 secs on a panic.

> 
> I downloaded the package, entered the directory, typed "make 
> KERNEL_DIR=/usr/src/kernel-source-2.4.18/", and after a listing of 
> found extensions, I lost connection to the box.  (Complete transcript 
> at end of message).  I can no longer even ping any address on that 
> network. (The machine was acting as a router as well).
> 
> I am trying to get physical access to the machine, and when (if) I get
> it, my time there will be extremely limited.  I would *greatly* 
> appreciate any suggestions along the following lines --
> 
> - Could the 'make' command alone have killed my box, or must it have 
> been a coincidence?
> 
> - If it was iptables, can anyone give me a hint as to how to reverse 
> the effects as efficiently and quickly as possible?
> 
> - Alternatively, is this normal behavior, and do I just need to 
> complete the install and open up traffic?
> 
> Any help would be appreciated -- I was acting quickly to block an 
> influx of spam, and my actions have affected a lot of people.
> 
> Thank you in advance,
> 
> -Scott Gaertner
>   scott@caffeinemediainc.com
>   917-495-4276
> 

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: iptables 'make' killed my box

[Julian Gomez]

On Mon, Aug 25, 2003 at 10:51:28PM +0200, Arnt Karlsen spoke thusly:
>On Mon, 25 Aug 2003 14:18:19 -0400, 
>Scott Gaertner <scott@caffeinemediainc.com> wrote in message 
><812338CA-D728-11D7-B488-000393DB0944@caffeinemediainc.com>:
>
>.kernel panic hint;  toss in an "append="panic 20" or somesuch, to 
>your boot loader and cli and (which file?) in /proc, to avoid further 
>such embarrasment, "panic 20" reboots the box in 20 secs on a panic.

/proc/sys/kernel/panic btw.

>> I downloaded the package, entered the directory, typed "make
>> KERNEL_DIR=/usr/src/kernel-source-2.4.18/", and after a listing of found
>> extensions, I lost connection to the box.  (Complete transcript 
>> at end of message).  I can no longer even ping any address on that 
>> network. (The machine was acting as a router as well).

I've found an odd way to Oops my desktop, by copying Maildir files from a
flash disk (vfat) to an ext3 fs. Copied, copied, copied - and *wham* kernel
oops.