1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

module ip_tables not found

Discussion in 'Tomato Firmware' started by quietsy, Sep 13, 2007.

  1. quietsy

    quietsy LI Guru Member

    Hello guys,

    I've recently upgraded my WRT54GL to Tomato 1.07.1042 (thanks to roadkill)
    and I have this issue with my firewall when I try to execute this command:

    /usr/sbin/iptables -A OUTPUT -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -j DROP

    I get this error:

    modprobe: module ip_tables not found.
    modprobe: failed to load module ip_tables

    and i've tried to reset the nvram and even reinstall the firmware with no luck.

    any help will be greatly appreciated.
     
  2. roadkill

    roadkill Super Moderator Staff Member Member

    this is the result on a official Tomato 1.07, your problem lies elsewhere.
    Code:
    Tomato  v1.07.1039
    
    
    BusyBox v1.2.2 (2007.05.06-15:48+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    
    # /usr/sbin/iptables -A OUTPUT -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -j DROP
    modprobe: module ip_tables not found.
    modprobe: failed to load module ip_tables
    iptables: No chain/target/match by that name
    # 
    
    I did insmod ipt_multiport.o but still got maybe there is another module which needs to be loaded try using cd / && ls -R | grep ipt
    Code:
    modprobe: module ip_tables not found.
    modprobe: failed to load module ip_tables
    
    if you could tell me exactly what modules needed to be loaded to run the command maybe I could make it work...

    as HennieM pointed out IP_Tables is built into the kernel so the problem is likely within the parameters.

    :grin:
     
  3. HennieM

    HennieM Network Guru Member

    1) There's no ip_tables module when doing lsmod, so I would assume the ip_tables module is compiled into the kernel. That's not the problem.

    2) I don't know what the "-m multiport" is in your iptables command (nor what you are trying to do, so maybe that's the thing), but your destination (-d 255.255.255.255) does not make sense to me.

    From the iptables man page:

    -d, --destination [!] address[/mask]

    Address can be either a network name, a
    hostname (please note that specifying any name to be resolved
    with a remote query such as DNS is a really bad idea), a network
    IP address (with /mask), or a plain IP address. The mask can be
    either a network mask or a plain number, specifying the number
    of 1's at the left side of the network mask. Thus, a mask of 24
    is equivalent to 255.255.255.0. A "!" argument before the
    address specification inverts the sense of the address.

    Now 255.255.255.255 can never, in my opinion, be a host.....
     
  4. quietsy

    quietsy LI Guru Member

    Thanks for the help guys,

    HennieM, I was trying to block ports 67 and 68 to 255.255.255.255 which is DHCP Broadcast and this command works great if I split it to 2 lines like this:

    /usr/sbin/iptables -A OUTPUT -p udp -m udp -d 255.255.255.255 --dport 68 -j DROP
    /usr/sbin/iptables -A OUTPUT -p udp -m udp -d 255.255.255.255 --dport 67 -j DROP

    but it seems to be faulty when using the multiport parameter.

    roadkill, these are exactly the same results I get when loading the ipt_multiport.o module.

    The original command was created by the Firewall Builder program and it worked fine on other firmwares but I just love Tomato and it would be a shame if i'll have to manage iptables manually.
     
  5. HennieM

    HennieM Network Guru Member

    Got it.

    It may be that Tomato (my v1.07.1039) runs a 2.4.20 kernel. I've seen other firmwares with later kernels.
     
  6. roadkill

    roadkill Super Moderator Staff Member Member

    maybe an upgrade is due.... I'll start experimenting
     
  7. quietsy

    quietsy LI Guru Member

    thats great, let me know if I can be of any help,
    I can test on my WRT54GL and I know cpp.
     
  8. HennieM

    HennieM Network Guru Member

    Just tried your multiport iptables command (omitting the -j DROP) on a GL running dd-wrt V24, kernel 2.4.35 - it accepts it, and iptables -L -nv gives:
    Code:
    Chain OUTPUT (policy ACCEPT 205 packets, 127K bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0            udp  --  *      *       0.0.0.0/0            255.255.255.255     udp multiport dports 68,67
    
     

Share This Page