thanks for replying (seems like everyone else is on orlando ;-)

i have just found out in the modules.conf that my host has disabled all module support:

>> module support has been disabled in the default "MY HOST'S NAME" kernel to reduce the risk posed by rootkits

hmmm. are the modules necessary for iptables?

cheers

i have just found out in the modules.conf that my host has disabled all module support:

>> module support has been disabled in the default "MY HOST'S NAME" kernel to reduce the risk posed by rootkits

hmmm. are the modules necessary for iptables?

cheers

Quick Question first: Is this on a shared hosting server?
If so, it's probably best that you don't try to mess with anything, even if you do have root access. ;)

If not, read on. ;)

As for whether modules are necessary, no they're not 100% necessary. There are two ways to go about things:

One is to statically compile modules into the kernel. That way, there are no actual modules to load or unload, since they're already part of the "core" as it were. This may speed things up a little, but it restricts your flexibility somewhat.

Your kernel is larger: the modules are now not loaded when needed, but are *always* there.
You can't really tell if module "X" is actually running, working properly and so on. IE, if you used to use the iptables module by doing an "insmod", you could use "lsmod" to list the modules. Now, your modules are no longer modules, so you can't use lsmod to see if the code is loaded up or not.

The Other way is to use modules, as you've seen. They're pretty straight-forward to use, etc. The disadvantage is that if anyone get root, they can load any module they want. There's various method of process hiding and information gather with kernel modules, since the run in such a priviledged part of the OS. That would explain them load allowing the loading of kernel modules.

Whew. Anyway, to answer your question, it's not always necessary to have module support for iptables. Only necessary if iptables hasn't been built into the kernel.

The best way to see if iptables is loaded statically in the kernel would be to run "iptables -L" (or whatever command it is to list rules in iptables -- I haven't used linux in quite some time; been living happily in FreeBSD Land). If the command doesn't completely barf, and lists some rules, then maybe it's statically compiled in.

I hope that helps,
Sorry for the overly-long post about stuff you may already know. :)

-MM

that's a great explanation, much appreciated :-)

iptables -L does work and i can append rules using iptable syntax. the only reason i thought modules might be necessary is because many of the sample iptables configuration scripts i have read require this or that module (ip_conntrack for instance).

i edited one of these scripts and ran it on the box and as you can see above managed to lock myself out of the box, because first of all i specified a default policy of

iptables -P INPUT DROP

but then the script tried to load some modules, hung for some reason - i panicked and exited and ended up completely locked out!

with the benefit of hindsight i realise the script might not have hung, it just might have needed more time to execute - i read that an iptables bash script with many commands can take a LONG time to execute.

i'm gonna replace the DROP at the top of the script with LOG and work up slowly adding rulesets and testing to make sure they work.

cheers for the help!

I've locked myself out of many boxes before (Cisco PIXes, ipfw BSD Boxes and ipchains/iptables Linux Boxes). It seems to be a rite of passage with each new system. I get kinda over-zealous with the "Security... NOW!" though process, and block everyone. <grin>

-MM