[Firewall] Dual stack IPv4 and IPv6 and old kernel

Michel van Dop mvandop at xs4all.nl
Sun Jul 17 11:06:09 CEST 2011


  

Hi,

the functionality ip6t_TCPMSS is present in the kernel module
but stil have the same error on:

ip6t_TCPMSS is a module alias for the
xt_TCPMSS module, and is present, 
compiled as a module in
kernel-ml-2.6.39

[root at linux2 ~]# modinfo xt_TCPMSS
filename:
/lib/modules/2.6.39-2.el5.elrepo/kernel/net/netfilter/xt_TCPMSS.ko
alias:
ip6t_TCPMSS
alias: ipt_TCPMSS
description: Xtables: TCP Maximum Segment
Size (MSS) adjustment
author: Marc Boucher 
license: GPL
srcversion:
378FCA3988694318B6AB8C0
depends: x_tables
vermagic: 2.6.39-2.el5.elrepo
SMP preempt mod_unload modversions 686

but is maybe not yet supported
in the user space ip6tables tools given the age of el5?

Enabling
setting the maximum packet size via MSS
/sbin/ip6tables -A FORWARD -o
eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ERROR
(2): ip6tables v1.3.5: Unknown arg `--clamp-mss-to-pmtu'
Try `ip6tables
-h' or 'ip6tables --help' for more information.
/sbin/ip6tables -A
OUTPUT -o eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
ERROR (2): ip6tables v1.3.5: Unknown arg
`--clamp-mss-to-pmtu'
Try `ip6tables -h' or 'ip6tables --help' for more
information.

And when is set DRDOS_PROTECT=1 

 Enabling protection
against DRDOS-abuse
/sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp ! --dport
2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -m limit
--limit 6/h --limit-burst 1 -j LOG --log-level info --log-prefix
AIF:Possible DRDOS abuse:
ERROR (1): ip6tables: Unknown error
4294967295
/sbin/ip6tables -A EXT_INPUT_CHAIN -p udp ! --dport 2049 -m
multiport --sports 20,21,22,23,80,110,143,443,993,995 -m limit --limit
6/h --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Possible
DRDOS abuse:
ERROR (1): ip6tables: Unknown error
4294967295
/sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp ! --dport 2049 -m
multiport --sports 20,21,22,23,80,110,143,443,993,995 -j
POST_INPUT_DROP_CHAIN
ERROR (1): ip6tables: Unknown error
4294967295
/sbin/ip6tables -A EXT_INPUT_CHAIN -p udp ! --dport 2049 -m
multiport --sports 20,21,22,23,80,110,143,443,993,995 -j
POST_INPUT_DROP_CHAIN
ERROR (1): ip6tables: Unknown error
4294967295

Thanks best regards, Michel 

The errors probably mean the
ip6t_TCPMSS is missing (I assume you forgot to enable it when you
compiled your kernel). It's no biggy, that's for sure but in case you
would like to use SET_MSS for IPv6, one should build the module... 

a.


On 06/27/2011 03:27 PM, Inetactief/Live-streams.nl wrote: 

> I use
http://elrepo.org/tiki/tiki-index.php [1] for the install the last
kernel. And it works, i use now 2.6.39-2.el5.elrepo I get no warning for
old kernel, only this messages:

> Enabling setting the maximum packet
size via MSS
 /sbin/ip6tables -A FORWARD -o eth0 -p tcp --tcp-flags
SYN,RST

> les -h' or 'ip6tables --help' for more information.
/sbin/ip6tables -A OUTPUT -o eth0 -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu ERROR (2): ip6tables v1.3.5: Unknown arg
`--clamp-mss-to-pmtu' Try `ip6tables -h' or 'ip6tables --help' for more
information. I must update ip6tables? Firewall on ipv6 do now work... on
the old kernel he do not work. Best regards, Michel 
> -- 
> 
> Check
out my website: http://michel.foto-logs.nl [2]


Links:
------
[1]
http://elrepo.org/tiki/tiki-index.php
[2] http://michel.foto-logs.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20110717/d26ee6c1/attachment.html>


More information about the Firewall mailing list