Add netfilter and iptables to the kernel

[pilouccio]

Hi,

The Debian destro work fine but i can't find iptables :

root@raspberrypi:~# iptables -L
FATAL: Module ip_tables not found.
iptables v1.4.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

It looks like netfilter & co hasn't been compiled in the kernel.

Does anybody knows how to do it ?

[trn]

Hi,

The Debian destro work fine but i can't find iptables :

root@raspberrypi:~# iptables -L
FATAL: Module ip_tables not found.
iptables v1.4.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

It looks like netfilter & co hasn't been compiled in the kernel.

Does anybody knows how to do it ?

+1

[timinator13]

+2

[XavM]

+3
and adding "Ethernet Bridging" would be great as well

[XavM]

For those wou could be interested in compiling the Kernel (http://elinux.org/Rpi_kernel_compilation) with the good options for iptables (ipv4 ...), here is a working options selection (may be not the best one <- give your advices)

Code: Select all

Networking  ---->
 Networking options  ---->
  Network packet filtering framework (Netfilter)--->
   Core Netfilter Configuration ---->
    <*> Netfilter connection tracking support
    <*> Netfilter Xtables support (required for ip_tables)
    <*>   "NFLOG" target support
    <*>   "conntrack" connection tracking match support
    <*>   "state" match support 
   IP: Netfilter Configuration --->
    <*> IPv4 connection tracking support (required for NAT)
    <*> IP tables support (required for filtering/masq/NAT)
    <*>   Packet Filtering
    <*>     REJECT target support
    <*>   Full NAT
    <*>     MASQUERADE target support
    <*> Packet mangling

I compiled and tested iptables, including NAT MASQUERADE : It boots and iptables seams to work fine.

My /proc/config.gz is in the "attachment" <- it includes iptables and bridge network options built-in the recompiled kernel (no module)

For the curious one, who like me 2 hours ago, don't no how long it takes to "make" the kernel (cross compiling) : it took less than 20 minutes from the beginning to the end on my 1,8 GHz Intel Core i7 (make -j 3) <- it's worth a try

Geting the sources (git clone) and finding the good options for the Kernel configuration took me definitely a longer part of the evening...

Hope this helps.

[blurp]

Hello,

i recompiled the kernel with iptables, bridging and VLAN support.
real 339m18.118s
user 317m13.270s
sys 13m18.870s

But now i got this:
root@raspberrypi:/opt/vc/src/hello_pi/hello_triangle# ./hello_triangle.bin
2277494217: vchiq_lib: Very incompatible VCHIQ library - cannot retrieve driver version
* failed to open vchiq instance

and this:
root@raspberrypi:/opt/vc/src/hello_pi/hello_video# ./hello_video.bin test.h264
2336016071: vchiq_lib: Very incompatible VCHIQ library - cannot retrieve driver version
* failed to open vchiq instance

Any hints?

Best Regards

[dom]

@blurp
You need to update your /opt/vc files.
Try hexxeh's rpi-update tool.

[asb]

We've added this to the default config now (Dom will update the firmware repo soon). Later today I'll be posting a version of the next image for testing, so you might wait for that.

[blurp]

@blurp
You need to update your /opt/vc files.
Try hexxeh's rpi-update tool.

@dom
Thanks for the hint.
I prefer not use mysterious updaters.
I put the directory tree above /opt/vc from the firmware package myself.
After a depmod -a and a ldconfig seems all fine now.n

It would be a good idea to make a note at a prominent place in the kernel sources,
that the update of /opt/vc is necessary. Or to include this stuff simply,
When i remember of such things like atheros hal and so on, all was includede
in the kernel tree and there was no need to get complimentary packages to
recompile the kernel...

When i comes to documtation of the steps to do such simple things, i feel that the maintainers a doing a bad job.

Best Regards

[fusiooon]

Can someone upload an image with iptables, bridging and VLAN support please?

[Joe Schmoe]

We've added this to the default config now (Dom will update the firmware repo soon). Later today I'll be posting a version of the next image for testing, so you might wait for that.

It is the 12th of June, but the latest version on the downloads page is still the 4/19 version.

[dom]

It is the 12th of June, but the latest version on the downloads page is still the 4/19 version.

Check the sticky in this forum:
http://www.raspberrypi.org/phpBB3/viewt ... =50&t=8071

[Wendo]

Does the ethernet port even support VLAN's?

It'd be awesome if it did, but I'd also be very surprised if that was the case on this level of hardware

[fusiooon]

I don't see why it shouldn't support VLANs. I will give it a go and report back the results. Hopefully the new test image includes 8021q.

[trn]

some iptables work(iptables -A INPUT ), some not(raspbian latest rpi-update)


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables v1.4.13: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

[asb]

some iptables work(iptables -A INPUT ), some not(raspbian latest rpi-update)


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables v1.4.13: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I was pretty sure I blindly enabled all relevant kernel config options, but may have been wrong. Please do investigate what kernel option you need and let us know.

[XavM]

Hi dear "global moderators",

I didn't check the new kernell and its /proc/config , but I guess this is missing :

IP: Netfilter Configuration --->
<*> IPv4 connection tracking support (required for NAT)
<*> IP tables support (required for filtering/masq/NAT)
<*> Packet Filtering
<*> REJECT target support
<*> Full NAT
<*> MASQUERADE target support
<*> Packet mangling

This is the options I had to use to enable NAT/Masquerading : CF my post
http://www.raspberrypi.org/phpBB3/viewt ... 326#p94326

Regards,

[fusiooon]

There is no VLAN (8021q) support in the new alpha I will probably have to compile my own kernel. iptables seems to be working, to be honest I didn't do any real tests. On the other hand, I did get Snort running on it.

[simonthepiman]

Hi Guys
Do you have an estimated date for the iptables kernel mod in the std distro ?

[dom]

rpi-update now should get it.

[simonthepiman]

Hi Guys

Many thanks works a treat

[simonthepiman]

Just in case any beginners see this

#To install the latest raspberry pi kernel updates just follow the next steps

# Update the CA(Certificate Authority) certificates
sudo apt-get install ca-certificates

# Get the Hexxeh rpi-update executable
sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update

# Install the git(Kernel directory content management system) core
sudo apt-get install git-core

# Run the update
sudo rpi-update

# Reboot the pi
sudo reboot

[whack]

The official kernel build now includes the 802.1q vlan module.
I have built a minimal debian image using that kernel.

Downloadable (for a while) at http://files.plak.net/raspberrypi

[JoWie]

Could ifb be added to the kernel as well? (Intermediate Functional Block device).
At the moment I am getting (3.1.9+ #144 PREEMPT Sun Jul 1 12:37:10 BST 2012 armv6l GNU/Linux):

Code: Select all

modprobe ifb
FATAL: Module ifb not found.

This would allow me to simulate netwerk latency in both directions on my raspberry pi.

The menu option during kernel compilation would be Device drivers -> Network device support -> Intermediate Functional Block support.

No rush, but it would be useful if it was added to the next release.

Thanks

[PedroNogue]

Just in case any beginners see this

#To install the latest raspberry pi kernel updates just follow the next steps

# Update the CA(Certificate Authority) certificates
sudo apt-get install ca-certificates

# Get the Hexxeh rpi-update executable
sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update

# Install the git(Kernel directory content management system) core
sudo apt-get install git-core

# Run the update
sudo rpi-update

# Reboot the pi
sudo reboot

A beginner here says "thx!!". Kernel updated, iptables working. Many thanks!