Add netfilter and iptables to the kernel


25 posts
by pilouccio » Sat Jun 02, 2012 10:25 am
Hi,

The Debian destro work fine but i can't find iptables :

root@raspberrypi:~# iptables -L
FATAL: Module ip_tables not found.
iptables v1.4.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


It looks like netfilter & co hasn't been compiled in the kernel.

Does anybody knows how to do it ?
Posts: 4
Joined: Fri Mar 09, 2012 7:44 pm
by trn » Tue Jun 05, 2012 8:03 pm
pilouccio wrote:Hi,

The Debian destro work fine but i can't find iptables :

root@raspberrypi:~# iptables -L
FATAL: Module ip_tables not found.
iptables v1.4.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


It looks like netfilter & co hasn't been compiled in the kernel.

Does anybody knows how to do it ?

+1
Posts: 46
Joined: Wed May 09, 2012 11:30 am
by timinator13 » Wed Jun 06, 2012 8:04 pm
+2
Posts: 8
Joined: Mon May 21, 2012 10:09 pm
by XavM » Thu Jun 07, 2012 9:32 am
+3
and adding "Ethernet Bridging" would be great as well
Posts: 35
Joined: Thu May 31, 2012 11:29 pm
by XavM » Thu Jun 07, 2012 7:38 pm
For those wou could be interested in compiling the Kernel (http://elinux.org/Rpi_kernel_compilation) with the good options for iptables (ipv4 ...), here is a working options selection (may be not the best one <- give your advices)

Code: Select all
Networking  ---->
 Networking options  ---->
  Network packet filtering framework (Netfilter)--->
   Core Netfilter Configuration ---->
    <*> Netfilter connection tracking support
    <*> Netfilter Xtables support (required for ip_tables)
    <*>   "NFLOG" target support
    <*>   "conntrack" connection tracking match support
    <*>   "state" match support
   IP: Netfilter Configuration --->
    <*> IPv4 connection tracking support (required for NAT)
    <*> IP tables support (required for filtering/masq/NAT)
    <*>   Packet Filtering
    <*>     REJECT target support
    <*>   Full NAT
    <*>     MASQUERADE target support
    <*> Packet mangling

I compiled and tested iptables, including NAT MASQUERADE : It boots ;) and iptables seams to work fine.

My /proc/config.gz is in the "attachment" <- it includes iptables and bridge network options built-in the recompiled kernel (no module)

For the curious one, who like me 2 hours ago, don't no how long it takes to "make" the kernel (cross compiling) : it took less than 20 minutes from the beginning to the end on my 1,8 GHz Intel Core i7 (make -j 3) <- it's worth a try

Geting the sources (git clone) and finding the good options for the Kernel configuration took me definitely a longer part of the evening...

Hope this helps.
Attachments
config.gz
.config including iptables and bridge network
(12.24 KiB) Downloaded 440 times
Posts: 35
Joined: Thu May 31, 2012 11:29 pm
by blurp » Sun Jun 10, 2012 3:10 am
Hello,

i recompiled the kernel with iptables, bridging and VLAN support.
real 339m18.118s
user 317m13.270s
sys 13m18.870s

But now i got this:
root@raspberrypi:/opt/vc/src/hello_pi/hello_triangle# ./hello_triangle.bin
2277494217: vchiq_lib: Very incompatible VCHIQ library - cannot retrieve driver version
* failed to open vchiq instance

and this:
root@raspberrypi:/opt/vc/src/hello_pi/hello_video# ./hello_video.bin test.h264
2336016071: vchiq_lib: Very incompatible VCHIQ library - cannot retrieve driver version
* failed to open vchiq instance

Any hints?

Best Regards
Posts: 11
Joined: Tue Jun 05, 2012 2:38 pm
by dom » Sun Jun 10, 2012 8:57 am
@blurp
You need to update your /opt/vc files.
Try hexxeh's rpi-update tool.
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 4013
Joined: Wed Aug 17, 2011 7:41 pm
Location: Cambridge
by asb » Sun Jun 10, 2012 1:02 pm
We've added this to the default config now (Dom will update the firmware repo soon). Later today I'll be posting a version of the next image for testing, so you might wait for that.
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 796
Joined: Fri Sep 16, 2011 7:16 pm
by blurp » Sun Jun 10, 2012 2:11 pm
dom wrote:@blurp
You need to update your /opt/vc files.
Try hexxeh's rpi-update tool.


@dom
Thanks for the hint.
I prefer not use mysterious updaters.
I put the directory tree above /opt/vc from the firmware package myself.
After a depmod -a and a ldconfig seems all fine now.n

It would be a good idea to make a note at a prominent place in the kernel sources,
that the update of /opt/vc is necessary. Or to include this stuff simply,
When i remember of such things like atheros hal and so on, all was includede
in the kernel tree and there was no need to get complimentary packages to
recompile the kernel...

When i comes to documtation of the steps to do such simple things, i feel that the maintainers a doing a bad job.

Best Regards
Posts: 11
Joined: Tue Jun 05, 2012 2:38 pm
by fusiooon » Tue Jun 12, 2012 6:32 pm
Can someone upload an image with iptables, bridging and VLAN support please?
User avatar
Posts: 9
Joined: Tue May 08, 2012 11:23 am
by Joe Schmoe » Tue Jun 12, 2012 6:38 pm
asb wrote:We've added this to the default config now (Dom will update the firmware repo soon). Later today I'll be posting a version of the next image for testing, so you might wait for that.


It is the 12th of June, but the latest version on the downloads page is still the 4/19 version.
Never answer the question you are asked. Rather, answer the question you wish you had been asked.

- Robert S. McNamara - quoted in "Fog of War" -
Posts: 2619
Joined: Sun Jan 15, 2012 1:11 pm
by dom » Tue Jun 12, 2012 10:55 pm
Joe Schmoe wrote:It is the 12th of June, but the latest version on the downloads page is still the 4/19 version.


Check the sticky in this forum:
viewtopic.php?f=50&t=8071
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 4013
Joined: Wed Aug 17, 2011 7:41 pm
Location: Cambridge
by Wendo » Tue Jun 12, 2012 11:34 pm
Does the ethernet port even support VLAN's?

It'd be awesome if it did, but I'd also be very surprised if that was the case on this level of hardware
Posts: 142
Joined: Sun Jun 10, 2012 8:27 pm
by fusiooon » Wed Jun 13, 2012 8:29 am
I don't see why it shouldn't support VLANs. I will give it a go and report back the results. Hopefully the new test image includes 8021q.
User avatar
Posts: 9
Joined: Tue May 08, 2012 11:23 am
by trn » Wed Jun 13, 2012 9:13 am
some iptables work(iptables -A INPUT ), some not(raspbian latest rpi-update)


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables v1.4.13: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Posts: 46
Joined: Wed May 09, 2012 11:30 am
by asb » Wed Jun 13, 2012 9:43 am
trn wrote:some iptables work(iptables -A INPUT ), some not(raspbian latest rpi-update)


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables v1.4.13: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


I was pretty sure I blindly enabled all relevant kernel config options, but may have been wrong. Please do investigate what kernel option you need and let us know.
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 796
Joined: Fri Sep 16, 2011 7:16 pm
by XavM » Wed Jun 13, 2012 3:10 pm
Hi dear "global moderators",

I didn't check the new kernell and its /proc/config , but I guess this is missing :

IP: Netfilter Configuration --->
<*> IPv4 connection tracking support (required for NAT)
<*> IP tables support (required for filtering/masq/NAT)
<*> Packet Filtering
<*> REJECT target support
<*> Full NAT
<*> MASQUERADE target support
<*> Packet mangling

This is the options I had to use to enable NAT/Masquerading : CF my post
viewtopic.php?p=94326#p94326

Regards,
Posts: 35
Joined: Thu May 31, 2012 11:29 pm
by fusiooon » Wed Jun 13, 2012 9:32 pm
There is no VLAN (8021q) support in the new alpha :cry: I will probably have to compile my own kernel. iptables seems to be working, to be honest I didn't do any real tests. On the other hand, I did get Snort running on it.
User avatar
Posts: 9
Joined: Tue May 08, 2012 11:23 am
by simonthepiman » Sun Jun 17, 2012 9:36 am
Hi Guys
Do you have an estimated date for the iptables kernel mod in the std distro ?
Simon

http://www.simonthepiman.com (Beginners guides)
User avatar
Posts: 43
Joined: Mon Jun 04, 2012 11:42 am
Location: Battle - Sussex
by dom » Sun Jun 17, 2012 12:15 pm
rpi-update now should get it.
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 4013
Joined: Wed Aug 17, 2011 7:41 pm
Location: Cambridge
by simonthepiman » Sun Jun 17, 2012 8:11 pm
Hi Guys

Many thanks works a treat
Simon

http://www.simonthepiman.com (Beginners guides)
User avatar
Posts: 43
Joined: Mon Jun 04, 2012 11:42 am
Location: Battle - Sussex
by simonthepiman » Sun Jun 17, 2012 8:30 pm
Just in case any beginners see this

#To install the latest raspberry pi kernel updates just follow the next steps

# Update the CA(Certificate Authority) certificates
sudo apt-get install ca-certificates

# Get the Hexxeh rpi-update executable
sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update

# Install the git(Kernel directory content management system) core
sudo apt-get install git-core

# Run the update
sudo rpi-update

# Reboot the pi
sudo reboot

:geek:
Simon

http://www.simonthepiman.com (Beginners guides)
User avatar
Posts: 43
Joined: Mon Jun 04, 2012 11:42 am
Location: Battle - Sussex
by whack » Mon Jul 02, 2012 8:22 pm
The official kernel build now includes the 802.1q vlan module.
I have built a minimal debian image using that kernel.

Downloadable (for a while) at http://files.plak.net/raspberrypi
Posts: 1
Joined: Thu Jan 19, 2012 7:02 pm
by JoWie » Mon Jul 02, 2012 8:51 pm
Could ifb be added to the kernel as well? (Intermediate Functional Block device).
At the moment I am getting (3.1.9+ #144 PREEMPT Sun Jul 1 12:37:10 BST 2012 armv6l GNU/Linux):
Code: Select all
modprobe ifb
FATAL: Module ifb not found.


This would allow me to simulate netwerk latency in both directions on my raspberry pi.

The menu option during kernel compilation would be Device drivers -> Network device support -> Intermediate Functional Block support.

No rush, but it would be useful if it was added to the next release.

Thanks
Posts: 1
Joined: Mon Jul 02, 2012 8:47 pm
by PedroNogue » Fri Jul 27, 2012 6:52 pm
simonthepiman wrote:Just in case any beginners see this

#To install the latest raspberry pi kernel updates just follow the next steps

# Update the CA(Certificate Authority) certificates
sudo apt-get install ca-certificates

# Get the Hexxeh rpi-update executable
sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update

# Install the git(Kernel directory content management system) core
sudo apt-get install git-core

# Run the update
sudo rpi-update

# Reboot the pi
sudo reboot

:geek:


A beginner here says "thx!!". Kernel updated, iptables working. Many thanks!
Posts: 1
Joined: Fri Jul 27, 2012 5:43 pm