19 Sep 22:51
Re: chain/rule problem with Shorewall
J M <d_0_c_t_0_r_x <at> yahoo.com>
2007-09-19 20:51:13 GMT
2007-09-19 20:51:13 GMT
Tom,
Thanks for the quick reply. I have applied the multiISP patch, now do I need to download the kernel source and configure it for CONNMARK support?
Regards,
John
Thanks for the quick reply. I have applied the multiISP patch, now do I need to download the kernel source and configure it for CONNMARK support?
Regards,
John
----- Original Message ----
From: Tom Eastep <teastep <at> shorewall.net>
To: Shorewall Users <shorewall-users <at> lists.sourceforge.net>
Sent: Wednesday, September 19, 2007 1:29:18 PM
Subject: Re: [Shorewall-users] chain/rule problem with Shorewall
From: Tom Eastep <teastep <at> shorewall.net>
To: Shorewall Users <shorewall-users <at> lists.sourceforge.net>
Sent: Wednesday, September 19, 2007 1:29:18 PM
Subject: Re: [Shorewall-users] chain/rule problem with Shorewall
J M wrote:
> I have just started setting up a new computer with shorewall. I am
> setting up the firewall for 2 ISPs and I am running into an error as
> soon as I create a /etc/shorewall/providers file.
>
> I have had this same error with 2 Shorewall versions and two kernel
> versions. The shorewall version is currently 3.4.6
Be sure you install the multi-ISP fix -- see the Shorewall home page.
> and the kernel is
> 2.6.22-11 generic shipped with ubuntu gutsy. I also had this same error
> under Ubuntu Feisty server (2.6.20).
>
> My providers file gets 'compiled' fine, but later, just after the
> providers are added, I get the following error:
>
> Adding Providers...
> Provider ESCH1 (1) Added
> Provider ESCH2 (2) Added
> Default route 'nexthop via a.b.c.d dev eth1 weight 1 nexthop via w.x.y.z
> dev eth2 weight 1' Added
> iptables: No chain/target/match by that name
> ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark !
> --mark 0/0xFF -j CONNMARK --restore-mark --mask 0xFF" Failed
>
> Is this error due to a missing module? Or am I missing something else?
You are missing CONNMARK support.
>
> If I remove the providers file, everything starts properly.
Ubuntu takes their cue from Debian and doesn't include CONNMARK support in
their kernels. Yet they include connmark match support! Go figure...
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep <at> shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> I have just started setting up a new computer with shorewall. I am
> setting up the firewall for 2 ISPs and I am running into an error as
> soon as I create a /etc/shorewall/providers file.
>
> I have had this same error with 2 Shorewall versions and two kernel
> versions. The shorewall version is currently 3.4.6
Be sure you install the multi-ISP fix -- see the Shorewall home page.
> and the kernel is
> 2.6.22-11 generic shipped with ubuntu gutsy. I also had this same error
> under Ubuntu Feisty server (2.6.20).
>
> My providers file gets 'compiled' fine, but later, just after the
> providers are added, I get the following error:
>
> Adding Providers...
> Provider ESCH1 (1) Added
> Provider ESCH2 (2) Added
> Default route 'nexthop via a.b.c.d dev eth1 weight 1 nexthop via w.x.y.z
> dev eth2 weight 1' Added
> iptables: No chain/target/match by that name
> ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark !
> --mark 0/0xFF -j CONNMARK --restore-mark --mask 0xFF" Failed
>
> Is this error due to a missing module? Or am I missing something else?
You are missing CONNMARK support.
>
> If I remove the providers file, everything starts properly.
Ubuntu takes their cue from Debian and doesn't include CONNMARK support in
their kernels. Yet they include connmark match support! Go figure...
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep <at> shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Need a vacation? Get great deals to amazing places on Yahoo! Travel.
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
RSS Feed