[KERNEL] Iptables and NFT not working

Post Reply
artoxxx
Posts: 14
Joined: Sat Sep 28, 2019 4:24 am
languages_spoken: english
ODROIDs: HC2
Has thanked: 0
Been thanked: 2 times
Contact:

[KERNEL] Iptables and NFT not working

Unread post by artoxxx » Wed Oct 02, 2019 9:17 am

Hello,

I'm using the Debian Netinstall image made by @tobetter (viewtopic.php?f=96&t=36474)
I know it's not an official Hardkernel image.

For my projects, I need iptables or nftables, but it looks like it's not working...

First of all, i saw iptables, iptables-legacy and iptables-nft were present in /usr/local/sbin but were not working.

So I tried installing nft and iptables from the source :

Code: Select all

apt install autoconf bison flex libgmp-dev libreadline-dev git libnftnl-dev libtool asciidoc make
I was getting an error when running the autogen.sh, and installing libtool resolved the problem.
Same for the ./configure : installing asciidoc was needed.

Code: Select all

cd /tmp
git clone git://git.netfilter.org/libnftnl
cd libnftnl/
sh autogen.sh
./configure --disable-dependency-tracking
make
make install

Code: Select all

cd /tmp
git clone git://git.netfilter.org/nftables
cd nftables
sh autogen.sh
./configure
make
make install

Code: Select all

cd /tmp
git clone git://git.netfilter.org/iptables
cd iptables
sh autogen.sh
./configure
make
make install
But it's still not working... See the output of these commands :
I can't modprobe ip_tables

Code: Select all

# /usr/sbin/modprobe ip_tables
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/5.3.0-odroid-upstream-armmp
Here is the content of /lib/modules/5.3.0-odroid-upstream-armmp/kernel/net :

Code: Select all

# ls
bluetooth  dsa  ipv6  mac80211  wireless  xfrm
NFT isn't working

Code: Select all

# /usr/sbin/nft
netlink.c:62: Unable to initialize Netlink socket: Protocol not supported

Code: Select all

# systemctl status nftables
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2019-10-01 19:45:50 EDT; 26min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 6263 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=3)
 Main PID: 6263 (code=exited, status=3)

Oct 01 19:45:50 ohc2 systemd[1]: Starting nftables...
Oct 01 19:45:50 ohc2 nft[6263]: netlink.c:62: Unable to initialize Netlink socket: Protocol not supported
Oct 01 19:45:50 ohc2 systemd[1]: nftables.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
Oct 01 19:45:50 ohc2 systemd[1]: nftables.service: Failed with result 'exit-code'.
Oct 01 19:45:50 ohc2 systemd[1]: Failed to start nftables.

Code: Select all

# lsmod
Module                  Size  Used by
s5p_mfc               131072  0
r8152                  53248  0
s5p_jpeg               45056  0
exynos_gsc             32768  0
v4l2_mem2mem           20480  2 s5p_jpeg,exynos_gsc
videobuf2_dma_contig    20480  3 s5p_jpeg,s5p_mfc,exynos_gsc
v4l2_common            16384  3 s5p_jpeg,s5p_mfc,exynos_gsc
videobuf2_memops       16384  1 videobuf2_dma_contig
videobuf2_v4l2         20480  4 s5p_jpeg,s5p_mfc,exynos_gsc,v4l2_mem2mem
videobuf2_common       36864  5 s5p_jpeg,s5p_mfc,exynos_gsc,v4l2_mem2mem,videobuf2_v4l2
videodev              159744  7 v4l2_common,videobuf2_common,s5p_jpeg,s5p_mfc,exynos_gsc,v4l2_mem2mem,videobuf2_v4l2
pwm_samsung            16384  1
mc                     28672  4 videobuf2_common,videodev,v4l2_mem2mem,videobuf2_v4l2
exynos_adc             24576  0
s5p_sss                24576  0
exynos_rng             16384  0
uas                    20480  2
rtc_s5m                20480  1
clk_s2mps11            16384  1
phy_exynos_usb2        20480  2
ohci_exynos            16384  0
rtc_s3c                20480  0

Code: Select all

# /usr/sbin/iptables -F
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/5.3.0-odroid-upstream-armmp
iptables v1.8.2 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Code: Select all

# /usr/sbin/iptables-legacy -F
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/5.3.0-odroid-upstream-armmp
iptables v1.8.2 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Can anyone help me ?
I don't know what I can do more, and where to search to find an answer...
Thanks
Last edited by artoxxx on Wed Oct 02, 2019 8:43 pm, edited 1 time in total.

User avatar
rooted
Posts: 6675
Joined: Fri Dec 19, 2014 9:12 am
languages_spoken: english
Location: Gulf of Mexico, US
Has thanked: 138 times
Been thanked: 33 times
Contact:

Re: [KERNEL] Iptables and NFT not working

Unread post by rooted » Wed Oct 02, 2019 5:19 pm

I think he is using a minimally configured kernel with the assumption that this being a more advanced install one could simply build the kernel they need.

But now you have asked I'm sure tobetter may be willing to add netfilter.

User avatar
mad_ady
Posts: 6646
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1, H2, N2
Location: Bucharest, Romania
Has thanked: 188 times
Been thanked: 143 times
Contact:

Re: [KERNEL] Iptables and NFT not working

Unread post by mad_ady » Wed Oct 02, 2019 7:34 pm

See zcat /proc/config.gz | grep -i netfilter

artoxxx
Posts: 14
Joined: Sat Sep 28, 2019 4:24 am
languages_spoken: english
ODROIDs: HC2
Has thanked: 0
Been thanked: 2 times
Contact:

Re: [KERNEL] Iptables and NFT not working

Unread post by artoxxx » Wed Oct 02, 2019 8:47 pm

rooted wrote:
Wed Oct 02, 2019 5:19 pm
I think he is using a minimally configured kernel with the assumption that this being a more advanced install one could simply build the kernel they need.

But now you have asked I'm sure tobetter may be willing to add netfilter.
Yes, he said to me that he was working on it
mad_ady wrote:
Wed Oct 02, 2019 7:34 pm
See zcat /proc/config.gz | grep -i netfilter

Code: Select all

# zcat /proc/config.gz | grep -i netfilter
# CONFIG_NETFILTER is not set
# iptables trigger is under Netfilter config (LED target)

User avatar
mad_ady
Posts: 6646
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1, H2, N2
Location: Bucharest, Romania
Has thanked: 188 times
Been thanked: 143 times
Contact:

Re: [KERNEL] Iptables and NFT not working

Unread post by mad_ady » Wed Oct 02, 2019 10:28 pm

That's your problem. You'll need to recompile the kernel with NETFILTER (and the many suboptions it has) enabled.

artoxxx
Posts: 14
Joined: Sat Sep 28, 2019 4:24 am
languages_spoken: english
ODROIDs: HC2
Has thanked: 0
Been thanked: 2 times
Contact:

Re: [KERNEL] Iptables and NFT not working

Unread post by artoxxx » Thu Oct 03, 2019 1:15 am

mad_ady wrote:
Wed Oct 02, 2019 10:28 pm
That's your problem. You'll need to recompile the kernel with NETFILTER (and the many suboptions it has) enabled.
I'm trying to do it. Maybe it's easy to do for you, but for a linux newbie like me, it's a bit hard

User avatar
mad_ady
Posts: 6646
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1, H2, N2
Location: Bucharest, Romania
Has thanked: 188 times
Been thanked: 143 times
Contact:

Re: [KERNEL] Iptables and NFT not working

Unread post by mad_ady » Thu Oct 03, 2019 2:19 am

I always follow this guide: https://github.com/umiddelb/armhf/wiki/ ... ARM-device
Though for mainline you'll need to see what extra patches you need to pull. Maybe tobetter has a better recepie.

User avatar
tobetter
Posts: 4024
Joined: Mon Feb 25, 2013 10:55 am
languages_spoken: Korean, English
ODROIDs: X, X2, U2, U3, XU3, C1
Location: Paju, South Korea
Has thanked: 43 times
Been thanked: 176 times
Contact:

Re: [KERNEL] Iptables and NFT not working

Unread post by tobetter » Thu Oct 03, 2019 4:43 pm

artoxxx wrote:
Thu Oct 03, 2019 1:15 am
mad_ady wrote:
Wed Oct 02, 2019 10:28 pm
That's your problem. You'll need to recompile the kernel with NETFILTER (and the many suboptions it has) enabled.
I'm trying to do it. Maybe it's easy to do for you, but for a linux newbie like me, it's a bit hard
I've update the repository, please do commands to upgrade the kernel.

Code: Select all

$ sudo apt update
$ sudo apt install linux-image-5.4.0-rc1-odroid-upstream-armmp
If everything works, you will have another kernel image at /boot and kernel drivers at /lib/modules. Please check before reboot.

Code: Select all

$ sudo reboot
After rebooting, you will have netfilter and iptables as kernel moduels. Please try it out a bit carefully. :)

artoxxx
Posts: 14
Joined: Sat Sep 28, 2019 4:24 am
languages_spoken: english
ODROIDs: HC2
Has thanked: 0
Been thanked: 2 times
Contact:

Re: [KERNEL] Iptables and NFT not working

Unread post by artoxxx » Mon Oct 07, 2019 6:06 am

mad_ady wrote:
Thu Oct 03, 2019 2:19 am
I always follow this guide: https://github.com/umiddelb/armhf/wiki/ ... ARM-device
Though for mainline you'll need to see what extra patches you need to pull. Maybe tobetter has a better recepie.
I get errors while im compiling...
tobetter wrote:
Thu Oct 03, 2019 4:43 pm
artoxxx wrote:
Thu Oct 03, 2019 1:15 am
mad_ady wrote:
Wed Oct 02, 2019 10:28 pm
That's your problem. You'll need to recompile the kernel with NETFILTER (and the many suboptions it has) enabled.
I'm trying to do it. Maybe it's easy to do for you, but for a linux newbie like me, it's a bit hard
I've update the repository, please do commands to upgrade the kernel.

Code: Select all

$ sudo apt update
$ sudo apt install linux-image-5.4.0-rc1-odroid-upstream-armmp
If everything works, you will have another kernel image at /boot and kernel drivers at /lib/modules. Please check before reboot.

Code: Select all

$ sudo reboot
After rebooting, you will have netfilter and iptables as kernel moduels. Please try it out a bit carefully. :)
Thanks tobetter

Now I can modprobe iptables, but it's still not working

Code: Select all

# /sbin/modprobe ip_tables

Code: Select all

r# /sbin/iptables -F
iptables: Operation not supported.

Code: Select all

# /sbin/iptables-legacy -F
iptables v1.8.2 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Code: Select all

# /sbin/iptables-nft -F
iptables: Operation not supported.

Code: Select all

# zcat /proc/config.gz | grep -i netfilter
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
...

Code: Select all

# systemctl status iptables.service
Unit iptables.service could not be found.

There I tried the 3 choices and none is working...

Code: Select all

# update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
* 0            /usr/sbin/iptables-nft      20        auto mode
  1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

Press <enter> to keep the current choice[*], or type selection number:
Whats am I missing ?
I did a fresh install and the problem is still present.

User avatar
tobetter
Posts: 4024
Joined: Mon Feb 25, 2013 10:55 am
languages_spoken: Korean, English
ODROIDs: X, X2, U2, U3, XU3, C1
Location: Paju, South Korea
Has thanked: 43 times
Been thanked: 176 times
Contact:

Re: [KERNEL] Iptables and NFT not working

Unread post by tobetter » Mon Oct 07, 2019 11:53 am

I have no idea at the moment, do you use Buster or Stretch? Can you try Stretch?

User avatar
mad_ady
Posts: 6646
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1, H2, N2
Location: Bucharest, Romania
Has thanked: 188 times
Been thanked: 143 times
Contact:

Re: [KERNEL] Iptables and NFT not working

Unread post by mad_ady » Mon Oct 07, 2019 12:57 pm

A rather full netfilter config (supporting docker) looks like this:

Code: Select all

CONFIG_NETFILTER=y                                    # CONFIG_NETFILTER_DEBUG is not set                   CONFIG_NETFILTER_ADVANCED=y                           CONFIG_BRIDGE_NETFILTER=m                             # Core Netfilter Configuration                        CONFIG_NETFILTER_INGRESS=y                            CONFIG_NETFILTER_NETLINK=y                            CONFIG_NETFILTER_NETLINK_ACCT=m                       CONFIG_NETFILTER_NETLINK_QUEUE=m                      CONFIG_NETFILTER_NETLINK_LOG=m                        CONFIG_NETFILTER_NETLINK_GLUE_CT=y                    CONFIG_NETFILTER_SYNPROXY=m                           CONFIG_NETFILTER_XTABLES=y                            CONFIG_NETFILTER_XT_MARK=m                            CONFIG_NETFILTER_XT_CONNMARK=m                        CONFIG_NETFILTER_XT_SET=m                             CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m                 CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m                 CONFIG_NETFILTER_XT_TARGET_CONNMARK=m                 CONFIG_NETFILTER_XT_TARGET_CT=m                       CONFIG_NETFILTER_XT_TARGET_DSCP=m                     CONFIG_NETFILTER_XT_TARGET_HL=m                       CONFIG_NETFILTER_XT_TARGET_HMARK=m                    CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m                CONFIG_NETFILTER_XT_TARGET_LED=m                      CONFIG_NETFILTER_XT_TARGET_LOG=m                      CONFIG_NETFILTER_XT_TARGET_MARK=m                     CONFIG_NETFILTER_XT_NAT=m                             CONFIG_NETFILTER_XT_TARGET_NETMAP=m  
CONFIG_NETFILTER_INGRESS=y                            CONFIG_NETFILTER_NETLINK=y                            CONFIG_NETFILTER_NETLINK_ACCT=m                       CONFIG_NETFILTER_NETLINK_QUEUE=m                      CONFIG_NETFILTER_NETLINK_LOG=m                        CONFIG_NETFILTER_NETLINK_GLUE_CT=y                    CONFIG_NETFILTER_SYNPROXY=m                           CONFIG_NETFILTER_XTABLES=y                            CONFIG_NETFILTER_XT_MARK=m                            CONFIG_NETFILTER_XT_CONNMARK=m                        CONFIG_NETFILTER_XT_SET=m                             CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m                 CONFIG_NETFILTER_XT_MATCH_L2TP=m                      CONFIG_NETFILTER_XT_MATCH_LENGTH=m                    CONFIG_NETFILTER_XT_MATCH_LIMIT=m                     CONFIG_NETFILTER_XT_MATCH_MAC=m                       CONFIG_NETFILTER_XT_MATCH_MARK=m                      CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m                 CONFIG_NETFILTER_XT_MATCH_NFACCT=m                    CONFIG_NETFILTER_XT_MATCH_OSF=m                       CONFIG_NETFILTER_XT_MATCH_OWNER=m                     CONFIG_NETFILTER_XT_MATCH_POLICY=m                    CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m                   CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m                   CONFIG_NETFILTER_XT_MATCH_QUOTA=m                     CONFIG_NETFILTER_XT_MATCH_QUOTA2=m                    CONFIG_NETFILTER_XT_MATCH_QUOTA2_LOG=y                CONFIG_NETFILTER_XT_MATCH_RATEEST=m                   CONFIG_NETFILTER_XT_MATCH_REALM=m                     CONFIG_NETFILTER_XT_MATCH_RECENT=m                    CONFIG_NETFILTER_XT_MATCH_SCTP=m                      CONFIG_NETFILTER_XT_MATCH_SOCKET=m                    CONFIG_NETFILTER_XT_MATCH_STATE=m                     CONFIG_NETFILTER_XT_MATCH_STATISTIC=m                 CONFIG_NETFILTER_XT_MATCH_STRING=m                    CONFIG_NETFILTER_XT_MATCH_TCPMSS=m                    CONFIG_NETFILTER_XT_MATCH_TIME=m                      CONFIG_NETFILTER_XT_MATCH_U32=m               
Do you have roughly the same?

Post Reply

Return to “Issues”

Who is online

Users browsing this forum: No registered users and 1 guest