MyBookWorld - installing iptables

Why ?

My motivation was, that I did not want the MBWE to be configurable from every host in my LAN, especially not from the router :-)

Kernel modules

You need to compile some kernel modules for iptables, as described in my short crosscompiling howto.
Stateful filtering (NETFILTER_XT_MATCH_STATE) relies on connection tracking (NF_CONNTRACK_ENABLED), but unfortunately the module won't load because of unresolved symbols.
root@minerva:~# insmod /lib/modules/2.6.24.4/kernel/net/netfilter/nf_conntrack.ko insmod: cannot insert /lib/modules/2.6.24.4/kernel/net/netfilter/nf_conntrack.ko': Unknown symbol in module (-1): No such file or directory root@minerva:~# dmesg nf_conntrack: Unknown symbol nf_conntrack_destroy nf_conntrack: Unknown symbol nf_ct_destroy nf_conntrack: Unknown symbol ip_ct_attach
I believe, this can only be solved by installing a modified kernel image, because if you grep the original kernel image (e.g. from an upgrade), the symbols are not found, but if you grep arch/arm/boot/uImage from the kernel that were compiled with the modules, the symbols are found!

iptables and its libraries

I compiled the latest iptables version (1.4.6) and its libraries like this:
./configure --host=arm-linux-gnueabi --prefix=/ --libexecdir=/usr/lib/iptables
All of those files are included in my .ipk package (see below).
Please note that unlike optware I am NOT installing to /opt

Example iptable rules

export LAN="192.168.1.0/24" export ADMINPC="192.168.1.99" iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F iptables -X iptables -Z iptables -A INPUT -i lo -j ACCEPT # Allow administration from one PC iptables -A INPUT -p tcp -s $ADMINPC --dport 22 -j ACCEPT # ssh iptables -A INPUT -p tcp -s $ADMINPC --dport 80 -j ACCEPT # http iptables -A INPUT -p tcp -s $ADMINPC --dport 443 -j ACCEPT # https # Allow NFS from localnet iptables -A INPUT -p tcp -s $LAN --dport 111 -j ACCEPT # portmap iptables -A INPUT -p tcp -s $LAN --dport 2049 -j ACCEPT # nfs iptables -A INPUT -p tcp -s $LAN --dport 32767 -j ACCEPT # mountd

Download

I made an ipk archive containing the kernel modules, all required libraries and iptables-1.4.6. which can be found at my .ipkg packages page.

Notes

Please do NOT contact me and ask how to fix stateful filtering.
I can't fix it until I found out how to fix the unresolved symbols in the module.
Also, please do NOT ask when I will have done this. The answer is "Never, unless I get help with the quest to install a modified kernel."