Where to get ipt_connmark module?

Issues related to configuring your network
Post Reply
eraskin
Posts: 11
Joined: 2007/02/17 22:35:16
Location: New York
Contact:

Where to get ipt_connmark module?

Post by eraskin » 2007/02/17 22:55:47

I'm installing a new firewall, changing from SuSE to CentOS 4.4. (yum update has been run). Uname = 2.6.9-42.0.8.ELsmp X86_64

We use Shorewall (www.shorewall.net) to generate our firewall -- with multiple ISPs. Shorewall uses "Marking" of packets to keep track of where each TCP/IP packet has come from (which ISP). It needs a bunch of modules that are missing from /lib/modules/1.6.9-42.0.8.ELsmp. Connection Marking is the big problem, but here's a complete list that is missing (as far as I can tell):

ip_conntrack_h323.ko
ip_conntrack_netbios_ns.ko
ip_conntrack_pptp.ko
ip_conntrack_sip.ko
ip_nat_h323.ko
ip_nat_pptp.ko
ip_nat_sip.ko
ip_set_iphash.ko
ip_set_ipmap.ko
ip_set_macipmap.ko
ip_set_portmap.ko
ipt_CLUSTERIP.ko
ipt_connmark.ko
ipt_CONNMARK.ko
ipt_hashlimit.ko
ipt_ipp2p.ko
ipt_policy.ko
ipt_set.ko
ipt_TTL.ko

Not all of these are necessary (like H323 and SIP). As I said, the biggest problem appears to be the connmark/CONNMARK modules.

Where can I get them?

TIA

Lenard
Posts: 2283
Joined: 2005/11/29 02:35:25
Location: Indiana

Where to get ipt_connmark module?

Post by Lenard » 2007/02/18 12:16:58

Build your own custom kernel from the kernel source rpm file.

http://wiki.centos.org/HowTos/Custom_Kernel

If I may suggest get the vanilla kernel-2.6.12.6 source to build;

ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-2.6.12.6.tar.bz2

eraskin
Posts: 11
Joined: 2007/02/17 22:35:16
Location: New York
Contact:

Re: Where to get ipt_connmark module?

Post by eraskin » 2007/02/18 19:35:18

Thanks for the reply.

If I do this, then I can't use up2date or yum to stay current with kernels, right? I'll have to build my own from now on, which isn't the best solution...

Moreover, how can I make sure that yum/up2date don't overwrite my custom kernel?

Lastly, by doing this, I'll no longer be running a RHEL4 kernel, right?

I guess that doesn't matter so much for a simple firewall.

I think the answers to these questions are probably obvious -- I just want to understand all the ramifications before I go this route.

Lenard
Posts: 2283
Joined: 2005/11/29 02:35:25
Location: Indiana

Re: Where to get ipt_connmark module?

Post by Lenard » 2007/02/18 22:36:32

[quote]
eraskin wrote:
Thanks for the reply.

If I do this, then I can't use up2date or yum to stay current with kernels, right? I'll have to build my own from now on, which isn't the best solution...
[/quote]

Then wait until CentOS5 is released. Only a few weeks to go BTW

[quote]
Moreover, how can I make sure that yum/up2date don't overwrite my custom kernel?
[/quote]

Neither will overwrite any kernel if done properly. It is never a good idea to update a kernel anyhow, it is best to install a new kernel, yum normally does an install for a new kernel leaving the older kernels intact. Up2date by default never downloads and updates a kernel anyhow, you have to specifically tell it to install a kernel update.

up2date -i kernel-2.6.9-XXXXX

[quote]
Lastly, by doing this, I'll no longer be running a RHEL4 kernel, right?

I guess that doesn't matter so much for a simple firewall.

I think the answers to these questions are probably obvious -- I just want to understand all the ramifications before I go this route.[/quote]

Depends if you rebuild a kernel from the kernel source suppied by Red Hat / CentOS then you will have a custom Red Hat / CentOS kernel based on the same source. True it is not a standard kernel but it is based on the same source. If you build a vanilla kernel then no it is a custom kernel that you made. Where do you think Red Hat / CentOS get the kernel source and backports from anyhow???

Yes, if you want the new modules you have to rebuild/build you own custom kernel. I build my own kernels for reasons similar to yours, I want my hardware and system to work and be secure. I'm also currently a little ahead of the game;

$ cat /etc/*release
Scientific Linux SL release 5.0 (Boron)
(a RHEL5 100% binary compatible clone of RHEL5Beta2 with many updates installed)

Like I said, I build my own custom kernel;

$ uname -a
Linux Aspire5000 2.6.20-git10 #1 Wed Feb 14 14:09:59 EST 2007 x86_64 x86_64 x86_64 GNU/Linux

eraskin
Posts: 11
Joined: 2007/02/17 22:35:16
Location: New York
Contact:

Re: Where to get ipt_connmark module?

Post by eraskin » 2007/02/19 16:56:34

Thanks! I appreciate the help.

I guess we'll build a custom vanilla kernel. We're paying for two ISPs but only using one right now! ;-)

ruso
Posts: 1
Joined: 2007/07/05 12:44:07

Re: Where to get ipt_connmark module?

Post by ruso » 2007/07/05 12:50:38

Hi there...

I need connmark so I installed the vanilla kernel (2.6.12.6) on my CentOS release 4.5

lsmod shows:

ip_conntrack_tftp 8464 1 ip_nat_tftp
ip_conntrack_irc 76176 1 ip_nat_irc
ip_conntrack_ftp 77200 1 ip_nat_ftp
ip_conntrack_amanda 74272 1 ip_nat_amanda
iptable_nat 27572 8 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_tftp,ip_nat_irc,ip_nat_ftp,ip_nat_amanda
ip_conntrack 49000 15 ipt_state,ipt_NOTRACK,ipt_MASQUERADE,ipt_helper,ipt_conntrack,ip_nat_tftp,ip_nat_snmp_basic,ip_nat_irc,ip_nat_ftp,ip_nat_amanda,ip_conntrack_tftp,ip_conntrack_irc,ip_conntrack_ftp,ip_conntrack_amanda,iptable_nat

But shorewall reports:

CONNMARK Target: Not available
Connmark Match: Not available

What is missing??? Should I change iptables too??? If so, is there an easy and secure way of achieving this?

Thanks!!!!

Post Reply

Return to “CentOS 4 - Networking Support”