[Firewall] Dual stack IPv4 and IPv6 and old kernel

Lonnie Abelbeck lists at lonnie.abelbeck.com
Mon Jul 18 02:29:23 CEST 2011


Michel,

I'm suspecting you have too old a version of iptables (v1.3.5) released 2006-Jan-31.

Just for a data point, I have a much older kernel than you, but with iptables v1.4.9 your ip6tables commands work for me, including when DRDOS_PROTECT=1.
--
# modinfo xt_TCPMSS
filename:       /lib/modules/2.6.27.57-astlinux/kernel/net/netfilter/xt_TCPMSS.ko
alias:          ip6t_TCPMSS
alias:          ipt_TCPMSS
description:    Xtables: TCP Maximum Segment Size (MSS) adjustment
author:         Marc Boucher <marc at mbsi.ca>
license:        GPL
depends:        x_tables
vermagic:       2.6.27.57-astlinux preempt mod_unload modversions GEODE
--
# ip6tables -V
ip6tables v1.4.9
--

For kernel 2.6.36 it looks like you should have iptables 1.4.10 or later.
http://www.netfilter.org/projects/iptables/downloads.html

Lonnie


On Jul 17, 2011, at 4:06 AM, Michel van Dop wrote:

> Hi,
> 
> the functionality ip6t_TCPMSS is present in the kernel module but stil have the same error on:
> 
> ip6t_TCPMSS is a module alias for the xt_TCPMSS module, and is present, 
> compiled as a module in kernel-ml-2.6.39
> 
> [root at linux2 ~]# modinfo xt_TCPMSS
> filename:       /lib/modules/2.6.39-2.el5.elrepo/kernel/net/netfilter/xt_TCPMSS.ko
> alias:          ip6t_TCPMSS
> alias:          ipt_TCPMSS
> description:    Xtables: TCP Maximum Segment Size (MSS) adjustment
> author:         Marc Boucher <marc at mbsi.ca>
> license:        GPL
> srcversion:     378FCA3988694318B6AB8C0
> depends:        x_tables
> vermagic:       2.6.39-2.el5.elrepo SMP preempt mod_unload modversions 686
> 
> but is maybe not yet supported in the user space ip6tables tools given the age of el5?
> 
> Enabling setting the maximum packet size via MSS
> /sbin/ip6tables -A FORWARD -o eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> ERROR (2): ip6tables v1.3.5: Unknown arg `--clamp-mss-to-pmtu'
> Try `ip6tables -h' or 'ip6tables --help' for more information.
> /sbin/ip6tables -A OUTPUT -o eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> ERROR (2): ip6tables v1.3.5: Unknown arg `--clamp-mss-to-pmtu'
> Try `ip6tables -h' or 'ip6tables --help' for more information.
> 
> And when is set DRDOS_PROTECT=1
> 
>  Enabling protection against DRDOS-abuse
> /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/h --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Possible DRDOS abuse:
> ERROR (1): ip6tables: Unknown error 4294967295
> /sbin/ip6tables -A EXT_INPUT_CHAIN -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/h --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Possible DRDOS abuse:
> ERROR (1): ip6tables: Unknown error 4294967295
> /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j POST_INPUT_DROP_CHAIN
> ERROR (1): ip6tables: Unknown error 4294967295
> /sbin/ip6tables -A EXT_INPUT_CHAIN -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j POST_INPUT_DROP_CHAIN
> ERROR (1): ip6tables: Unknown error 4294967295
> 
> 
> 
> Thanks best regards, Michel
> 
>  
>  
> The errors probably mean the ip6t_TCPMSS is missing (I assume you forgot to enable it when you compiled your kernel). It's no biggy, that's for sure but in case you would like to use SET_MSS for IPv6, one should build the module...
> 
> a.
> 
> On 06/27/2011 03:27 PM, Inetactief/Live-streams.nl wrote:
> 
>> I use http://elrepo.org/tiki/tiki-index.php for the install the last kernel. And it works, i use now 2.6.39-2.el5.elrepo I get no warning for old kernel, only this messages:
>> Enabling setting the maximum packet size via MSS
>> /sbin/ip6tables -A FORWARD -o eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ERROR (2): ip6tables v1.3.5: Unknown arg `--clamp-mss-to-pmtu' Try `ip6tables -h' or 'ip6tables --help' for more information. /sbin/ip6tables -A OUTPUT -o eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ERROR (2): ip6tables v1.3.5: Unknown arg `--clamp-mss-to-pmtu' Try `ip6tables -h' or 'ip6tables --help' for more information. I must update ip6tables? Firewall on ipv6 do now work... on the old kernel he do not work. Best regards, Michel
> -- 
> Check out my website: http://michel.foto-logs.nl
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list