Jump to content


Photo

iptables error (modinfo module not found)

iptables kernel error module filter

  • Please log in to reply
17 replies to this topic

#1 ReceiverM

  • Member
  • 14 posts

0
Neutral

Posted 14 December 2020 - 10:48

Unfortunately, I can't install iptables properly:

The installation command runs through normally, but then I get an error.

Tried on a virgin flashed System: openpli-8.0-rc on Maxytec Multibox Combo.

 

Mentioned in passing, not problem relevant: on first uprgade process there are some errors as well:

opkg update && opkg upgrade

Collected errors:
 * remove_obsolesced_files: unlinking /lib/modules/4.4.35/extra/hi_play.ko failed: No such file or directory.
 * opkg_install_pkg: Failed to determine obsolete files from previously installed maxytec-dvb-modules-multibox

 

Back to iptables, the opkg install iptables result looks pretty normal: https://pastebin.com/XGR2sYmR

But even a simple listing right after installation gives me following error:

root@multibox:~# iptables -L
iptables v1.8.3 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

 

Further, the module can't be found:

root@multibox:~# modprobe ip_tables
root@multibox:~# modinfo ip_tables
modinfo: ERROR: Module ip_tables not found.
root@multibox:~# lsmod
Module                  Size  Used by
mali                  274279  0
multibox             6297130  22
multibox_3            429442  22 mali,multibox
multibox_2             23808  0
multibox_1              6460  3 multibox_2,multibox_3,multibox

Some more information:

root@multibox:~# cat /proc/net/ip_tables_matches
icmp
udplite
udp
tcp
root@multibox:~# cat /proc/net/ip_tables_names
root@multibox:~# cat /proc/net/ip_tables_targets
ERROR

root@multibox:~# ls /lib/modules/4.4.35/kernel/net/
mac80211  rfkill    wireless

 

In another forum they wrote this happens because of missing kernel modules?

I saw on github that CONFIG_NETFILTER_XTABLES is activated, but all the other CONFIG_NETFILTER_XT_... are not.

 

According to that it is not possible to use iptables on this box?

Or did I just forget anything?


 



Re: iptables error (modinfo module not found) #2 rantanplan

  • Senior Member
  • 850 posts

+38
Good

Posted 14 December 2020 - 11:41

https://github.com/v...onfig#L698-L712

 

I would say anything active you want right?

This is the manufacturer support page.
The image is created from this.
The Branch in Pli are only internal for test purposes.



Re: iptables error (modinfo module not found) #3 ReceiverM

  • Member
  • 14 posts

0
Neutral

Posted 14 December 2020 - 13:24

No matter which iptables command I want to execute it always comes up with the same error. Even if I want to create the table 'filter' or just output listings.

 

 

I am relatively sure that at least CONFIG_IP_NF_FILTER should be activated?

As it is described ( https://cateee.net/l..._NF_FILTER.html ) with:

"Packet filtering defines a table `filter', which has a series of rules for simple packet filtering at local input, forwarding and local output. See the man page for iptables(8)."

 

About all the other I am not sure but these looking useful as well

- CONFIG_NF_CONNTRACK for masquerading and NAT translation

- CONFIG_NF_REJECT_IPV4 / CONFIG_NF_REJECT_IPV6 to reject packets

...

 

Maybe one of the kernel professionals here could take a look at it and send a pull-request to the manufacturer?



Re: iptables error (modinfo module not found) #4 WanWizard

  • PLi® Core member
  • 60,476 posts

+1,376
Excellent

Posted 14 December 2020 - 17:03

The use of iptables suggest you intend to connect the box directly to the Internet (or any other insecure network).

 

Which is A VERY BAD idea, the box is not secure, not hardended, everything runs are root, it is a disaster waiting to happen.

 

If it is up to me we remove it all together, to prevent discussions like this.


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Due to health reasons, I will have periods of inactivity, during which I don't respond to posts or PM.

Many answers to your question can be found in our new and improved wiki.


Re: iptables error (modinfo module not found) #5 ReceiverM

  • Member
  • 14 posts

0
Neutral

Posted 14 December 2020 - 17:23

Actually no: I have several (v)LANs and have controlled access/restriction using iptables so far. Just like some routings (masquerade).

What do you have against such a common system (security) feature? Even due to the bad secured system this is a very helpful tool?
My NAS or raspberry, for example, is also only not directly connected to the internet and I also set various access permissions there.



Re: iptables error (modinfo module not found) #6 WanWizard

  • PLi® Core member
  • 60,476 posts

+1,376
Excellent

Posted 14 December 2020 - 18:02

It is not to protect people like you, who know what they're doing, but to the remaining 99.9% of the users... ;)


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Due to health reasons, I will have periods of inactivity, during which I don't respond to posts or PM.

Many answers to your question can be found in our new and improved wiki.


Re: iptables error (modinfo module not found) #7 ReceiverM

  • Member
  • 14 posts

0
Neutral

Posted 14 December 2020 - 18:30

This is really a pity, because there is even an interesting OpenPLi Addon for it. ( enigma2-plugin-security-firewall.bb / firewall.sh )

In the past iptables were always included, why are these then not further supported?

Especially for not that experienced users an easy understandable and predefined standard protection via iptables would be more helping than harming?

Apparently I have but a heavy stand and the feature will no longer exist :(



Re: iptables error (modinfo module not found) #8 WanWizard

  • PLi® Core member
  • 60,476 posts

+1,376
Excellent

Posted 14 December 2020 - 18:42

We haven't changed anything. The kernel defconfig is part of the BSP, which is maintained by the vendor. So if stuff is missing, it's because they haven't enabled it in the defconfig.

 

The first step is to compile a complete list of CONFIG values that need to be enabled, with that we can ask the vendors to update it.


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Due to health reasons, I will have periods of inactivity, during which I don't respond to posts or PM.

Many answers to your question can be found in our new and improved wiki.


Re: iptables error (modinfo module not found) #9 betacentauri

  • PLi® Core member
  • 7,141 posts

+320
Excellent

Posted 14 December 2020 - 18:48

At least for old boxes we should be carefully with that especially if kernel grow much because of this.


Xtrend ET-9200, ET-8000, ET-10000, OpenPliPC on Ubuntu 12.04

Re: iptables error (modinfo module not found) #10 WanWizard

  • PLi® Core member
  • 60,476 posts

+1,376
Excellent

Posted 14 December 2020 - 18:49

That shouldn't happen if they are all modules, none of them will be added to the rootfs by default?


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Due to health reasons, I will have periods of inactivity, during which I don't respond to posts or PM.

Many answers to your question can be found in our new and improved wiki.


Re: iptables error (modinfo module not found) #11 betacentauri

  • PLi® Core member
  • 7,141 posts

+320
Excellent

Posted 14 December 2020 - 18:53

Yes, modules should be fine ;)

 

But maybe better for next release....


Xtrend ET-9200, ET-8000, ET-10000, OpenPliPC on Ubuntu 12.04

Re: iptables error (modinfo module not found) #12 ReceiverM

  • Member
  • 14 posts

0
Neutral

Posted 14 December 2020 - 19:16

I know that is was available for some of these "old boxes" (e.g. vusolose or dm520).

That's why I am surprised that it doesn't work with such new devices like the multibox.

 

As you mentioned the SF8008 in the wireguard thread, we may could have a look at this one, cause it looks like it is enabled there.



Re: iptables error (modinfo module not found) #13 WanWizard

  • PLi® Core member
  • 60,476 posts

+1,376
Excellent

Posted 14 December 2020 - 20:17

There are so many modules available for iptables, I doubt there is a single vendor that has enabled them all...


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Due to health reasons, I will have periods of inactivity, during which I don't respond to posts or PM.

Many answers to your question can be found in our new and improved wiki.


Re: iptables error (modinfo module not found) #14 ReceiverM

  • Member
  • 14 posts

0
Neutral

Posted 14 December 2020 - 20:27

This is neither necessary nor requested :)

But a basic functionality would be nice - like blocking IP addresses/ranges or open just a few single ports.



Re: iptables error (modinfo module not found) #15 WanWizard

  • PLi® Core member
  • 60,476 posts

+1,376
Excellent

Posted 14 December 2020 - 21:34

Hence my remark was that the next step is to compile the list of required CONFIG options, to provide your "basic functionality".


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Due to health reasons, I will have periods of inactivity, during which I don't respond to posts or PM.

Many answers to your question can be found in our new and improved wiki.


Re: iptables error (modinfo module not found) #16 beastyboy

  • Senior Member
  • 36 posts

0
Neutral

Posted 15 January 2021 - 17:20

For vu+ solo2 i think these config options should be necessary (i am not 100% sure):

 

# Networking options
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=y

# Core Netfilter Configuration

CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NETFILTER_XTABLES=m

# Xtables combined modules

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m

# Xtables matches

CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_IP_SET=m
CONFIG_IP_SET_MAX=256
CONFIG_IP_SET_BITMAP_IP=m
CONFIG_IP_SET_BITMAP_IPMAC=m
CONFIG_IP_SET_BITMAP_PORT=m
CONFIG_IP_SET_HASH_IP=m
CONFIG_IP_SET_HASH_IPPORT=m
CONFIG_IP_SET_HASH_IPPORTIP=m
CONFIG_IP_SET_HASH_IPPORTNET=m
CONFIG_IP_SET_HASH_NETPORTNET=m
CONFIG_IP_SET_HASH_NET=m
CONFIG_IP_SET_HASH_NETNET=m
CONFIG_IP_SET_HASH_NETPORT=m
CONFIG_IP_SET_HASH_NETIFACE=m
CONFIG_IP_SET_LIST_SET=m

# IP: Netfilter Configuration

CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_NF_NAT_IPV4=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_ECN=m

# IPv6: Netfilter Configuration

CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_CONNTRACK_IPV6=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_NF_NAT_IPV6=m
CONFIG_IP6_NF_TARGET_MASQUERADE=m
CONFIG_IP6_NF_TARGET_NPT=m



Re: iptables error (modinfo module not found) #17 j-o-h-a-n

  • New Member
  • 1 posts

0
Neutral

Posted 1 February 2021 - 11:25

We haven't changed anything. The kernel defconfig is part of the BSP, which is maintained by the vendor. So if stuff is missing, it's because they haven't enabled it in the defconfig.

 

The first step is to compile a complete list of CONFIG values that need to be enabled, with that we can ask the vendors to update it.

 

I have a VU+ Uno 4K SE. I have noticed that the kernel has been stuck at version: '4.1.20-1.9' for at least two years now. Can we expect the vendor to provide updates frequently? Which vendors provide frequent updates? I am concerned that security updates are and missing kernel modules are not being provided.

 

I think securing a device with an (iptables) access-list is a good thing, even if the device is not directly connected to the Internet.

 

I hope to find the ip_tables and masquerade modules will be provided for the VU+ Uno 4K SE.

 

I would like to configure my decoder to run openvpn and have it masquerade traffic from other devices on my LAN that use the decoder as default gateway.



Re: iptables error (modinfo module not found) #18 WanWizard

  • PLi® Core member
  • 60,476 posts

+1,376
Excellent

Posted 1 February 2021 - 13:43

No, in general the vendor never updates the kernel. Which is a pain, sometimes, especially for older hardware. Life would be so much easier for us if we didn't have to build and test for 20+ different kernel versions...

 

Currently there are two exceptions: Zgemma (who updated once afaik) and Edision (who updates regularly, but only for current hardware I think).

 

About security: assume there is none, irespectively of the kernel used. Everything runs as root, there is no hardening whatsoever. NEVER connect an STB to the internet, not directly, not by port forwarding. NEVER.

 

And I strongly advice you not to use it as a network device (router, firewall, VPN server, etc). Even with iptables it is not secure, as that only deals with layer3/layer4, but 5-7 are not secure either.


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Due to health reasons, I will have periods of inactivity, during which I don't respond to posts or PM.

Many answers to your question can be found in our new and improved wiki.




Also tagged with one or more of these keywords: iptables, kernel, error, module, filter

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users