Discussion:
[Shorewall-users] CentOS7 update problem
Richard B. Pyne
2016-08-30 19:33:31 UTC
Permalink
I have been using Shorewall since version 2 on several platforms. A
couple years ago, I standardized on CentOS, and everything worked fine.

Last week, I ran an update on some CentOS 7 servers and discovered that
Shorewall wouldn't start. It fails with the message: "Your
kernel/iptables do not include state match support. No version of
Shorewall will run on this system"

I have Shorewall version 5.0.8.2 installed.

Any help would be greatly appreciated.

--Richard

------------------------------------------------------------------------------
Dario Lesca
2016-09-01 15:35:04 UTC
Permalink
I have been using Shorewall since version 2 on several platforms. A 
couple years ago, I standardized on CentOS, and everything worked fine.
Last week, I ran an update on some CentOS 7 servers and discovered
that 
Shorewall wouldn't start. It fails with the message: "Your 
kernel/iptables do not include state match support. No version of 
Shorewall will run on this system"
I have Shorewall version 5.0.8.2 installed.
Any help would be greatly appreciated.
Could it be a problem with SELinux? See into /var/log/audit/audit.log

I have found this old message:
https://lists.centos.org/pipermail/centos/2013-February/132567.html

Hope this help

-- 
Dario Lesca
(inviato dal mio Linux Fedora 24 Workstation)

------------------------------------------------------------------------------
Tom Eastep
2016-09-01 20:59:28 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Richard B. Pyne
I have been using Shorewall since version 2 on several platforms. A
couple years ago, I standardized on CentOS, and everything worked fine.
Last week, I ran an update on some CentOS 7 servers and discovered
that Shorewall wouldn't start. It fails with the message: "Your
kernel/iptables do not include state match support. No version of
Shorewall will run on this system"
I have Shorewall version 5.0.8.2 installed.
Any help would be greatly appreciated.
After executing this command:

iptables -N foo

What output do these commands produce?

iptables -A foo -m state --state ESTABLISHED -j ACCEPT
iptables -a foo -m conntrack --cstate ESTABLISHED -j ACCEPT

Thanks,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJXyJawAAoJEJbms/JCOk0Q+T0P/1ukcFbwzjanDLQHd4hGseTM
IHcJAdSLnlE+miTDPmsLeVSgfdxxurNrFqmCBPIiOWL4MW/CzoZnAOkQfWCilOa6
qUp7zMAdK6PfLJm8LhP0UAwphk3BF8w8fws0PEBoxzoNx9lczlIbatl0lgGrR0sg
C51p1f8MDXgM3O7f/AKxA3jRRXiqV1bjppLSUyqAj6e/dZyumEUtAOVQHYyd9nMT
H3xLDThTLlYMX9eP0dqxnST+toV41LpEntjXWEwu68DpiWrGgUEmK/okiviOFOHv
YX9Y3K/NVRCEQv652H1+3XMRUbckx1IUWrQ/UoMmcd/47V47oUk11Z7/ts+NV/N+
vtYS4rROVm+PcJO/gMbT4beNOpnL0xn0U0NZ40qUuISIjfB6byNz6CTXuOsYh1Bg
74iabBRRFs+5X4WoOpTDO1WiOzSy0PoDznDWgJ+C3v/YjQGvryMuqO7xCbyI+qwX
ziQ6KGmZgljWH+jOrZyD/kxg5ZzKTjfMr/sGWklM8H/CbTZk4Q0wAoWTvhsILF7d
N6COgarDa9z2fK9wpWfbs3ttnfKm2nK3O2FVwOqXFQN9YZcXJDbvCpg+jEA9rEnp
VUuproY/fBR5KHdLJxamIZeXC/0ucGCAMSPGFl5ecNjZVa0KGWpDzoxdfdjdm0BG
HhFDS0C1YBoOcFq1goV+
=4I1m
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Benny Pedersen
2016-09-01 21:45:44 UTC
Permalink
Post by Tom Eastep
iptables -N foo
What output do these commands produce?
iptables -A foo -m state --state ESTABLISHED -j ACCEPT
iptables -a foo -m conntrack --cstate ESTABLISHED -j ACCEPT
on gentoo it says unknown option "--cstate"

kernel 4.7
iptables 1.4.21


------------------------------------------------------------------------------
Tom Eastep
2016-09-01 21:49:44 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Benny Pedersen
Post by Tom Eastep
iptables -N foo
What output do these commands produce?
iptables -A foo -m state --state ESTABLISHED -j ACCEPT iptables
-a foo -m conntrack --cstate ESTABLISHED -j ACCEPT
on gentoo it says unknown option "--cstate"
kernel 4.7 iptables 1.4.21
Oops -- typo. Should be


iptables -a foo -m conntrack --ctstate ESTABLISHED -j ACCEPT

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJXyKJ4AAoJEJbms/JCOk0QFJUP/0YOmFCxw6Jqt9LTzy1ZkfF9
cIFlURDpfeA6pifufXbdmHUv+IKmavsFxoE80069eU21WJal8sGJqJZ8whSEu7Qo
ig8jOIT3iplHIgMGgU6dCV1QY3OW50ppIHEUw+T69X10PXsmDE+DPYweF1OvLCAb
0gYXAu7Yw7fe+ulOiaPlXvgwYxBDgZzpUYa/Xg2czIB/HwzWy8cGMGBU7OC+flUg
TbI9oXNHLgKZzBteOS19moBWqz0DdLd4KnDD9PIdg23mmPPTvKn77ik3jR/Rynih
2L4GEz/UJ7wW6eCtvHu+LIvl5Q9qpSsNFkSowGBJIiH69u1eRuJOm76Tp3i3R3e2
o9CWptw7YuHzihe5/Ql3V5kw5dTwKMz7sVhpvfcYWmQFO8NaqSr+2elQBu1aAf/D
7H74RicenB7YSZ7EROeei45USWQsDJGTaeaSGnc3ut+sAjsBfT9ov6BM2zwGjYxn
FJ0AsfChLfIQozmvFJMgsh+P97Id8oMLM4zN/VKteiPSh3tctOY6C7zZU/JzhKL3
cjRgDzmkWKirY/uJrrEQweH05LCRCr6PZYxf+otK3YF7v/D/oIi5tRFAw63PdNzu
kN8bWt87dvM/pltTsL4EEKUbednnrCjmhrlRoTyDaXMcbVZzcP66cUc7s2T3ZK1q
8H30X15oEzkOFQHJGMWG
=K/Se
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Benny Pedersen
2016-09-01 22:09:36 UTC
Permalink
Post by Tom Eastep
iptables -a foo -m conntrack --ctstate ESTABLISHED -j ACCEPT
confirmed works

iptables is default not compiled with conntrack support on gentoo




------------------------------------------------------------------------------
Tom Eastep
2016-09-02 02:47:57 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Benny Pedersen
Post by Tom Eastep
iptables -a foo -m conntrack --ctstate ESTABLISHED -j ACCEPT
confirmed works
iptables is default not compiled with conntrack support on gentoo
That's too bad -- it means that quite a bit of Shorewall functionality
is not available.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJXyOhdAAoJEJbms/JCOk0QyWIP/AoIzbapeZMLH0u9hQEA8EUY
9vhRLxbslisrooacShz7LWZNAmtXXnfwCdlAg/KdMldLuWMZlwinCrHc0YqPlnPE
7qkA3Ng+PiITMTRyRiNPoOZshTU5QwF2Fn7sYEzQ5Ab1f6PDlwhXooOvEVKarsl+
O+vmoQ3L35G/9YxOXxiW04ONYdjDtR2K0Ny2TuTOL9mAOoc9LAS5jRjVo7lxmiw3
+5dKKp3vraRG18EpDQYec8MJOOLOrChHSRQv9TIzZW91LOBqphLoByAs1VelzjC6
eztzgvF6GUX5K8wJ90S0/XUsnLkMggwctdDJIS4wUpNutpa+va0Mcrd5ngISKU9H
ZXFnLXU85zfJZN+0MA7ZSYsPVE7DrGopAFFHHuuWTyvqp05SL4qlN8DXqKuutBJ8
U7SMzmFUhDn+vpFENMASq484TKiWx2CyEdAxusjNyp7+f1wQgcsy6s92s35Y0hN0
4l2Fh+Tl1lguaf0Tsi55HsywQW3SPl+Ps8IbG0vCMwJW3s0q84DN/Wtj+bvk1u7N
kNXeea5iZj7lWOnvGCKQH8Zzh5g5DeFVjnzLZfWZ4v0yi+pcF3b7ieLpz+0vABdQ
F4kAclr4ATH/z7PD3jnQs4l6Y2wtNcivSau1nBIufaKHB2haf0StGAoSx70cQcAI
ATpAWxsptWMLm/cGKXLo
=Qb3g
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Richard B. Pyne
2016-09-08 00:31:48 UTC
Permalink
Post by Tom Eastep
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Tom Eastep
iptables -N foo
What output do these commands produce?
iptables -A foo -m state --state ESTABLISHED -j ACCEPT
# iptables -a foo -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables v1.4.21: unknown option "-a"
-a and -A is not the same thing.
Which is why I did a cut and paste from Tom's emails.
It should be -A
# iptables -A foo -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables v1.4.21: can't initialize iptables table `filter': Table does
not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

# iptables -A foo -m state --state ESTABLISHED -j ACCEPT
iptables v1.4.21: can't initialize iptables table `filter': Table does
not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

------------------------------------------------------------------------------
Tom Eastep
2016-09-08 02:05:03 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Richard B. Pyne
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On Wed, Sep 07, 2016 at 01:15:06PM -0600, Richard B. Pyne
Post by Tom Eastep
iptables -N foo
What output do these commands produce?
iptables -A foo -m state --state ESTABLISHED -j ACCEPT
# iptables -a foo -m conntrack --ctstate ESTABLISHED -j
ACCEPT iptables v1.4.21: unknown option "-a"
-a and -A is not the same thing.
Which is why I did a cut and paste from Tom's emails.
It should be -A
# iptables -A foo -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables v1.4.21: can't initialize iptables table `filter': Table
does not exist (do you need to insmod?) Perhaps iptables or your
kernel needs to be upgraded.
# iptables -A foo -m state --state ESTABLISHED -j ACCEPT iptables
v1.4.21: can't initialize iptables table `filter': Table does not
exist (do you need to insmod?) Perhaps iptables or your kernel
needs to be upgraded.
There is something very wrong with your installation. It looks as if
module autoloading is disabled?

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJX0MdPAAoJEJbms/JCOk0QMdYP/j9asRRfKoXYIcIPzwQvOU2R
4Qj3v5ohPfFSiSr8IOL+an7u/2VA77JamBmBKX/GuIu1NB9eQZHhoEL/hcxfJb/W
fEeDCBIau/VEVS+abLjs4hTLF9abnHR0JK0YFqqR0KzDXoadd61OFCA1KaM9C7ij
L2HdpHLDEUXtmJaf71By5STp0dCe9dXaHZqtkV5flb/tQdvJxphCm/SO6x+ujvPS
rQ2CBmCUgz4dc2YsbuywvCTKXcHIdlgu356yFSms+Am2dDdA5ij0qckwctvz0cQL
y5SSOkT3VydbdGBK64j4nNFyzyo2dfgOTkoUfLvz48O5bhZiTJAXO1GJ0WhCkslJ
/UXolLn/Q8msnIgG1EKP5zci5zQNFj6rqy/847HEEhrgiiCb8b3as3NIPyf+Y5JF
sSpKCIL/kI6JvHev9auhsHKYPqjAVsXeM2gDx50PajPQcBgSkuSRk1sFT+qgg6bM
Y8ALoC371rQEKwJEwvMeoQer7R2NtUNeb6bfykV8EBY1+oRZ10D6lseoJKFomKNV
uF///T0WZO1RgS1K+JHMzzEW1oluS4xIivxDGH86OuBI/6FPIg99XVsyu3wU2cj/
y41WFn90EpvWhuaQqvUSXHQp3O2Qdj+Vz+y3pYyzL5Kde1qDctzRH8mWGmMqhp+7
wei6V6Upfki9v6T8Rgk6
=4yTS
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Tom Eastep
2016-09-08 20:21:20 UTC
Permalink
Post by Tom Eastep
Post by Richard B. Pyne
# iptables -A foo -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables v1.4.21: can't initialize iptables table `filter': Table
does not exist (do you need to insmod?) Perhaps iptables or your
kernel needs to be upgraded.
# iptables -A foo -m state --state ESTABLISHED -j ACCEPT iptables
v1.4.21: can't initialize iptables table `filter': Table does not
exist (do you need to insmod?) Perhaps iptables or your kernel
needs to be upgraded.
There is something very wrong with your installation. It looks as if
module autoloading is disabled?
If you have LOAD_HELPERS_ONLY=Yes in shorewall.conf, it may help if you
switch to LOAD_HELPERS_ONLY=No.

-Tom

------------------------------------------------------------------------------
Richard B. Pyne
2016-09-09 06:43:05 UTC
Permalink
This post might be inappropriate. Click to display it.
Continue reading on narkive:
Loading...