Tiny Core Linux
dCore Import Debian Packages to Mountable SCE extensions => dCore X86 => Topic started by: nitram on January 01, 2016, 05:33:27 PM
-
UFW fail in dCore-jessie, appears to install okay, missing configuration files, can't enable or check status. Prefer UFW over plain iptables. Will play as time permits, advice appreciated. No obvious relevant old forum posts. Anyone running a firewall with dCore? Thanks.
tc@box:/tmp/tcloop/ufw/etc/init.d$ sudo /etc/init.d/ufw start
Could not find /etc/ufw/ufw.conf (aborting)
tc@box:/tmp/tcloop/ufw/etc/init.d$ sudo ufw status verbose
ERROR: Couldn't stat '/etc/ufw/after6.rules'
-
Dropped UFW. Learning iptables, works with preliminary testing. This guide has been helpful: http://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/. Don't want to spend too time on this, just basic firewall configuration. If i can figure it out will start dCore wiki entry for system security or under existing dCore Server Applications. For basic use, may just need an iptables --policy INPUT DROP entry in bootlocal.sh. Still if anyone has iptables or dCore firewall feedback, appreciated. Thanks.
-
Unable to fully set up iptables in dCore-jessie. Best guess is the kernel is not configured for it. Basic commands like sudo iptables -P INPUT DROP work fine. Toggling INPUT, FORWARD and OUTPUT between DROP and ACCEPT allows/blocks internet connection. Some exception rules don't work, however, even rules that work fine in TC 6. This is an entry from the TC 6 iptables basic-firewall script.
tc@box:~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name.
Research indicates this is likely due to an unsupported kernel:
http://www.linux.org/threads/iptables-no-chain-target-match-by-that-name.4656/
http://www.linuxquestions.org/questions/linux-networking-3/iptables-no-chain-target-match-by-that-name-52034/
Running lsmod | grep ip outputs nothing:
tc@box:~$ lsmod | grep ip
tc@box:~$
Feeback appreciated. If fixable, guidance please. If kernel related, could i request a kernel that supports iptables?
Based on above link:
Sounds more like you're missing some modules, rather than a screwed up firewall script. Use lsmod and make sure that you have modules loaded for the iptables flags and chains. Looking at the modules I have loaded now that are relevent for iptables:
ipt_REJECT
ipt_LOG
ipt_state
ipt_MASQUERADE
iptable_nat
ip_conntrack
iptable_filter
ip_tables
I would bet that you're not loading one or more of them. Narrow down what your missing and make and install the lost modules.
What distro are you using? Most should have iptables support or at least ipchains/ipfwadmin built in out of the box. So it's kind of strange that you had to recompile the kernel just to get support.
-
lsmod | grep ip from TC6:
iptable_nat 12288 0
nf_conntrack_ipv4 12288 2
nf_defrag_ipv4 12288 1 nf_conntrack_ipv4
nf_nat_ipv4 12288 1 iptable_nat
nf_nat 16384 2 iptable_nat,nf_nat_ipv4
nf_conntrack 45056 6 xt_conntrack,nf_conntrack_ftp,iptable_nat,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat
-
Hi nitram
do you have the netfilter package installed?
-
Do now, thanks Rich :)
iptables now behaving, glad it was so simple.
Eventual entry for dCore users wanting firewall: http://wiki.tinycorelinux.net/dcore:server_applications.
-
Hi nitram
Yes, it was pretty simple. The only listed dependency for iptables was netfilter. Checking the list file for netfilter
showed it contained the missing modules.
-
Still figuring out dCore. Didn't realize how much i relied on Apps until it was gone. Bookmarked: http://packages.tinycorelinux.net. Thanks again.