[H-GEN] router woes (redhat specific?)

David Jericho david.jericho at bytecomm.com.au
Thu Jul 11 23:43:14 EDT 2002 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Fri, 2002-07-12 at 12:20, Matthew Taylor wrote:
> Read the IP Masquerade howto, discovered kernel module ip_tables appears 
> to be incorrectly configured. This appears the same on 2 redhat 7.3 
> boxes & 1 Redhat 7.2, do others have this problem?

No, it's not actually a problem. RedHat provides both ipchains, and
iptables for you to use, but they are mutally exclusive in operation.

It's the same with any other 2.4 kernel. You can compile both in, but
only ever use one at any particular instant.

RedHat 7.x default to ipchains for reasons of backwards compatiability.
Some people work long and hard on their firewalling rules in the
mistaken belief that they are going to be secure afterwards.

[davidj at cheesypoof davidj]$ sudo rpm -e ipchains

will remove ipchains. If there are dependancies (often lokkit and
others), it'll inform you and not remove ipchains. The another way
that'll leave ipchains present on the system, but disable it is

[davidj at cheesypoof davidj]$ sudo /sbin/service ipchains stop
[davidj at cheesypoof davidj]$ sudo /sbin/chkconfig --level 0123456 \
ipchains off

Of course, you'll want to make doubly sure that you've got iptables
running on boot, so assuming it's all installed

[davidj at cheesypoof davidj]$ sudo /sbin/chkconfig --level 2345 iptables \
on

You can create your /etc/sysconfig/iptables file with a fair bit of
ease. First create all your rules using /sbin/iptables, and once you're
sure they're all working properly, run 

[davidj at cheesypoof davidj]$ sudo /sbin/iptables-save > \
/etc/sysconfig/iptables

> I know I should be able to re-compile the kernel. The major hangup I 
> seem to hit is knowing which options to select to replicate the 
> distribution kernel. ie: if lsmod shows kernel module '8139too' (a nic 
> module I think?) how do I check my kernel configure process will create 
> that module?

No need to do the above. Recompiling kernels is only for the hardcore
anyway. RedHat spends a lot of time doing QA on their kernels, and I
haven't replaced one of their kernels with one of mine for at least a
year and a half now. I've also not had a kernel related machine crash in
that time.

> Using IPChains seems to be the 'easiest' solution, but I'd much rather 
> 'do it right'. Sample rulesets for either IPChains or IPTables would be 
> appreciated.

There are plenty of links off http://www.netfilter.org/

> also, when I ssh between boxes it is slow (3-4 secs at least), ping 
> times are less than 1ms. any ideas on what to look for?
> and - if I want to setup my network so that I can
> ssh somename
> instead of
> ssh xxx.xxx.xxx.xxx

Could be a variety of things, but first thing I'd place a bet on is your
DNS or hostname resolution. Either create a local zone in your DNS, or
add each host to /etc/hosts

> Should I be using dns? or something else? (I'll probably leave this for 
> now until I get everything else sorted, but something to aim for)

Your call. The obvious advantage with running a local DNS server is that
you get an element of caching, and if you do add another host record to
the network, the change is known by all clients right away. The caching
won't save you much traffic, but it can make things quicker to less well
connected sites and if your link it saturated.

Using /etc/hosts removes another running program off your gateway.

> [trying to learn how to fish and avoiding consultants talking about fish 
> meals.]

Mmm... crumbed Hoki with a potato bake.

> Module                  Size  Used by    Not tainted
> ipchains               40456  11 
> insmod ip_tables

See above, the two are mutally exclusive. Be nice if modules has some
sort of exclusivity notification.

> Using /lib/modules/2.4.18-3/kernel/net/ipv4/netfilter/ip_tables.o

I'd update your kernel just for comforts sake.

RHBA-2002:110-09 which is the update to 2.4.18-5 fixes some NFS issues
and some other bugs fixed.

RHBA-2002:085-11 which updated to 2.4.18-4 fixes some obscure bugs in
ext3 and one or two other bugs.

I'm sure RedHat Rob would agree with me that signing upto RHN is a Good
Thing(tm), as it can automate a lot of the package updates you'll want
to do. RedHat on security problems has a delightfully quick turn around,
and they're good with the bugfixes. IIRC, everyone is allowed at least
one free RHN subscription.

-- 
David Jericho
Senior Systems Administrator, Bytecomm Pty Ltd


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list