Developer Network

« Back to Technical Questions

RE: Q about how to get IPTables working on the AXP

Combination View

Post New Thread

Hielke Hagendoorn Posts: 15 Join Date: 2/12/09 Recent Posts	Q about how to get IPTables working on the AXP axp rpm lkm iptables Answer 3/11/10 10:29 PM Mark as an Answer Submit Reply with Quote Quick Reply Hi All, I'm trying to setup IPTables on the AXP. I'm (still) using SDK 1.1.7 on the AIM-APPRE-102-K9. The basic idea is use iptables to handle the bulk of the packets and forward some selected packets to user space for further handling. Since more people might like to use iptables, I'm posting here the steps I have taken so far to get things working. I hope to get, cq provide in this way some detailed instructions on how te setup iptables on an AXP blade. Any comments are more than welcome! Steps taken: 1. extract rpm (taken from FC6 ) [root@localhost extracted]# rpm2cpio ../rpm/iptables-1.3.5-1.2.1.i386.rpm \| cpio -idv ./etc/rc.d/init.d/iptables ./etc/sysconfig/iptables-config ./lib/iptables ./lib/iptables/libipt_CLASSIFY.so ./lib/iptables/libipt_CONNMARK.so ./lib/iptables/libipt_DNAT.so ./lib/iptables/libipt_DSCP.so ./lib/iptables/libipt_ECN.so ./lib/iptables/libipt_LOG.so ./lib/iptables/libipt_MARK.so ./lib/iptables/libipt_MASQUERADE.so ./lib/iptables/libipt_MIRROR.so ./lib/iptables/libipt_NETMAP.so ./lib/iptables/libipt_NFQUEUE.so ./lib/iptables/libipt_NOTRACK.so ./lib/iptables/libipt_REDIRECT.so ./lib/iptables/libipt_REJECT.so ./lib/iptables/libipt_SAME.so ./lib/iptables/libipt_SNAT.so ./lib/iptables/libipt_TARPIT.so ./lib/iptables/libipt_TCPMSS.so ./lib/iptables/libipt_TOS.so ./lib/iptables/libipt_TRACE.so ./lib/iptables/libipt_TTL.so ./lib/iptables/libipt_ULOG.so ./lib/iptables/libipt_addrtype.so ./lib/iptables/libipt_ah.so ./lib/iptables/libipt_comment.so ./lib/iptables/libipt_connlimit.so cpio: ./lib/iptables/libipt_connmark.so not created: newer or same age version exists ./lib/iptables/libipt_connmark.so ./lib/iptables/libipt_conntrack.so ./lib/iptables/libipt_dccp.so cpio: ./lib/iptables/libipt_dscp.so not created: newer or same age version exists ./lib/iptables/libipt_dscp.so cpio: ./lib/iptables/libipt_ecn.so not created: newer or same age version exists ./lib/iptables/libipt_ecn.so ./lib/iptables/libipt_esp.so ./lib/iptables/libipt_hashlimit.so ./lib/iptables/libipt_helper.so ./lib/iptables/libipt_icmp.so ./lib/iptables/libipt_iprange.so ./lib/iptables/libipt_length.so ./lib/iptables/libipt_limit.so ./lib/iptables/libipt_mac.so cpio: ./lib/iptables/libipt_mark.so not created: newer or same age version exists ./lib/iptables/libipt_mark.so ./lib/iptables/libipt_multiport.so ./lib/iptables/libipt_owner.so ./lib/iptables/libipt_physdev.so ./lib/iptables/libipt_pkttype.so ./lib/iptables/libipt_policy.so ./lib/iptables/libipt_realm.so ./lib/iptables/libipt_recent.so ./lib/iptables/libipt_rpc.so ./lib/iptables/libipt_sctp.so ./lib/iptables/libipt_standard.so ./lib/iptables/libipt_state.so ./lib/iptables/libipt_string.so ./lib/iptables/libipt_tcp.so cpio: ./lib/iptables/libipt_tcpmss.so not created: newer or same age version exists ./lib/iptables/libipt_tcpmss.so cpio: ./lib/iptables/libipt_tos.so not created: newer or same age version exists ./lib/iptables/libipt_tos.so cpio: ./lib/iptables/libipt_ttl.so not created: newer or same age version exists ./lib/iptables/libipt_ttl.so ./lib/iptables/libipt_udp.so ./lib/iptables/libipt_unclean.so ./sbin/iptables ./sbin/iptables-restore ./sbin/iptables-save ./usr/share/doc/iptables-1.3.5 ./usr/share/doc/iptables-1.3.5/COPYING ./usr/share/doc/iptables-1.3.5/INCOMPATIBILITIES ./usr/share/doc/iptables-1.3.5/INSTALL ./usr/share/man/man8/iptables-restore.8.gz ./usr/share/man/man8/iptables-save.8.gz ./usr/share/man/man8/iptables.8.gz 1140 blocks [root@localhost extracted]# 2. check required files [root@localhost extracted]# rpm -qp --requires ../rpm/iptables-1.3.5-1.2.1.i386.rpm warning: ../rpm/iptables-1.3.5-1.2.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2 /bin/sh /bin/sh /bin/sh chkconfig config(iptables) = 1.3.5-1.2.1 libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.3) libc.so.6(GLIBC_2.3.4) libc.so.6(GLIBC_2.4) libdl.so.2 libdl.so.2(GLIBC_2.0) libdl.so.2(GLIBC_2.1) rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rtld(GNU_HASH) [root@localhost sbin]# ldd /sbin/iptables linux-gate.so.1 => (0x00f23000) libdl.so.2 => /lib/libdl.so.2 (0x00f71000) libc.so.6 => /lib/libc.so.6 (0x00622000) /lib/ld-linux.so.2 (0x002f2000) 3. check diff's # Fedora 6 /lib lrwxrwxrwx 1 root root 11 Mar 8 15:39 libc.so.6 -> libc-2.5.so lrwxrwxrwx 1 root root 12 Mar 8 15:39 libdl.so.2 -> libdl-2.5.so lrwxrwxrwx 1 root root 9 Mar 8 15:39 ld-linux.so.2 -> ld-2.5.so # AXP 1.1.7 /lib lrwxrwxrwx 2 root daemon 22 Jan 14 11:03 libc.so.6 -> ../cisco/lib/libc.so.6 lrwxrwxrwx 2 root daemon 23 Jan 14 11:03 libdl.so.2 -> ../cisco/lib/libdl.so.2 lrwxrwxrwx 2 root daemon 11 Jan 14 11:03 ld-linux.so.2 -> ld-2.3.5.so /cisco/lib lrwxrwxrwx 2 root daemon 13 Jan 14 11:03 libc.so.6 -> libc-2.3.5.so lrwxrwxrwx 2 root daemon 14 Jan 14 11:03 libdl.so.2 -> libdl-2.3.5.so 4. copy files scp cisco@10.220.243.105:/sbin/iptables /sbin/iptables scp cisco@10.220.243.105:/sbin/iptables-restore /sbin/iptables-restore scp cisco@10.220.243.105:/sbin/iptables-save /sbin/iptables-save scp cisco@10.220.243.105:/lib/iptables/* /lib/iptables scp cisco@10.220.243.105:/lib/ld-2.5.so /usr/lib/ld-2.5.so scp cisco@10.220.243.105:/lib/libanl-2.5.so /usr/lib/libanl-2.5.so scp cisco@10.220.243.105:/lib/libBrokenLocale-2.5.so /usr/lib/libBrokenLocale-2.5.so scp cisco@10.220.243.105:/lib/libc-2.5.so /usr/lib/libc-2.5.so scp cisco@10.220.243.105:/lib/libcidn-2.5.so /usr/lib/libcidn-2.5.so scp cisco@10.220.243.105:/lib/libcrypt-2.5.so /usr/lib/libcrypt-2.5.so scp cisco@10.220.243.105:/lib/libdl-2.5.so /usr/lib/libdl-2.5.so scp cisco@10.220.243.105:/lib/libm-2.5.so /usr/lib/libm-2.5.so scp cisco@10.220.243.105:/lib/libnsl-2.5.so /usr/lib/libnsl-2.5.so scp cisco@10.220.243.105:/lib/libnss_compat-2.5.so /usr/lib/libnss_compat-2.5.so scp cisco@10.220.243.105:/lib/libnss_dns-2.5.so /usr/lib/libnss_dns-2.5.so scp cisco@10.220.243.105:/lib/libnss_files-2.5.so /usr/lib/libnss_files-2.5.so scp cisco@10.220.243.105:/lib/libnss_hesiod-2.5.so /usr/lib/libnss_hesiod-2.5.so scp cisco@10.220.243.105:/lib/libnss_nis-2.5.so /usr/lib/libnss_nis-2.5.so scp cisco@10.220.243.105:/lib/libnss_nisplus-2.5.so /usr/lib/libnss_nisplus-2.5.so scp cisco@10.220.243.105:/lib/libpthread-2.5.so /usr/lib/libpthread-2.5.so scp cisco@10.220.243.105:/lib/libresolv-2.5.so /usr/lib/libresolv-2.5.so scp cisco@10.220.243.105:/lib/librt-2.5.so /usr/lib/librt-2.5.so scp cisco@10.220.243.105:/lib/libutil-2.5.so /usr/lib/libutil-2.5.so 5. create links cd /usr/lib ln -s ld-2.5.so ld-linux.so.2 ln -s ld-2.5.so ld.so.1 ln -s libanl-2.5.so libanl.so.1 ln -s libBrokenLocale-2.5.so libBrokenLocale.so.1 ln -s libcidn-2.5.so libcidn-2.5.so.1 ln -s libcrypt-2.5.so libcrypt.so ln -s libcrypt-2.5.so libcrypt.so.1 ln -s libc-2.5.so libc.so.6 ln -s libdl-2.5.so libdl.so ln -s libdl-2.5.so libdl.so.2 ln -s libm-2.5.so libm.so ln -s libm-2.5.so libm.so.6 ln -s libnsl-2.5.so libnsl.so ln -s libnsl-2.5.so libnsl.so.1 ln -s libnss_compat-2.5.so libnss_compat.so.2 ln -s libnss_dns-2.5.so libnss_dns.so ln -s libnss_dns-2.5.so libnss_dns.so.2 ln -s libnss_files-2.5.so libnss_files.so ln -s libnss_files-2.5.so libnss_files.so.2 ln -s libnss_hesiod-2.5.so libnss_hesiod.so.2 ln -s libnss_nisplus-2.5.so libnss_nisplus.so.2 ln -s libnss_nis-2.5.so libnss_nis.so.2 ln -s libpthread-2.5.so libpthread-0.10.so ln -s libpthread-2.5.so libpthread.so ln -s libpthread-2.5.so libpthread.so.0 ln -s libresolv-2.5.so libresolv.so ln -s libresolv-2.5.so libresolv.so.2 ln -s librt-2.5.so librt.so ln -s librt-2.5.so librt.so.1 ln -s libutil-2.5.so libutil.so ln -s libutil-2.5.so libutil.so.1 6. modify sys_cap to load the cisco provided modules bash-2.05b# cat /sys_cap @BCAPABILITIES= NET_ADMIN NET_BROADCAST NET_RAW @PROCFS= /proc/sys/net/ipv4/ip_forward 1 @MODULES= ip_tables.ko iptable_mangle.ko iptable_filter.ko 7. reload 8. modify lib path and test IPTBALES="/usr/lib/ld-linux.so.2 --library-path /usr/lib /sbin/iptables" bash-2.05b# $IPTABLES -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination bash-2.05b# 9. error :-( &@^#$(@$( bash-2.05b# $IPTABLES -A PREROUTING -t mangle -m dscp --dscp 1 -j MARK --set-mark 1 getsockopt failed strangely: No such file or directory bash-2.05b# I seems to me I need to load the xt_ modules from iptables or something like that. Any help how te get this working will be creatly appreciated. Regards Hielke
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Jacek Materna Posts: 19 Join Date: 10/14/09 Recent Posts	RE: Q about how to get IPTables working on the AXP Answer 3/12/10 12:29 AM as a reply to Hielke Hagendoorn. Mark as an Answer Submit Reply with Quote Quick Reply 1.1.7 is based on the 2.4 kernel, and iptables 1.3.5 is written for 2.6. Why not just use AXP iptables which are built in and just activate them, while using iptables 1.2x userland utils? I would not add your own kernel lkm's unless you know what youre doing with compatability. Alternatively, get the 1.2x iptables which is more compatible with 2.4 and activate those, however you need lkm level access.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Hielke Hagendoorn Posts: 15 Join Date: 2/12/09 Recent Posts	RE: Q about how to get IPTables working on the AXP Answer 3/12/10 2:17 AM as a reply to Jacek Materna. Mark as an Answer Submit Reply with Quote Quick Reply I didn't thought about that, since I just used the iptables version which was included in FC6. Can you please provide some info about how to use the AXP iptables version and de userland utils? Thx in advance.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Jacek Materna Posts: 19 Join Date: 10/14/09 Recent Posts	RE: Q about how to get IPTables working on the AXP Answer 3/12/10 2:57 AM as a reply to Hielke Hagendoorn. Mark as an Answer Submit Reply with Quote Quick Reply AXP 1.1.x comes with: ip_tables.ko ¿ iptable_filter.ko ¿ iptable_mangle.ko ¿ ip_queue.ko built-in. I would suggest that you activate all 4 of them. You activate via your capabilties file when you bundle the application. I would suggest getting the source of iptables 1.2x compiling the userland tools and putting those in your bundle. Early 1.3 packages could work as well. Morever, ip_queue.ko will enable you to write userland application that can read and enforce policy per packet from kernel land. iptables rules can be used to direct traffic into this queue based on arbitrary rules. -J
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Hielke Hagendoorn Posts: 15 Join Date: 2/12/09 Recent Posts	RE: Q about how to get IPTables working on the AXP Answer 3/15/10 7:42 PM as a reply to Jacek Materna. Mark as an Answer Submit Reply with Quote Quick Reply Are you sure the about the 2.6 kernel thing? The AXP-LKM-SDK.1.1.7 comes with kernel-2.6.14.3 in the gplCore directory?
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Brett Tiller Posts: 308 Join Date: 4/9/08 Recent Posts	RE: Q about how to get IPTables working on the AXP Answer 3/15/10 10:31 PM as a reply to Hielke Hagendoorn. Mark as an Answer Submit Reply with Quote Quick Reply That's correct - AXP 1.1.7 uses the 2.6.14 kernel. Our latest release AXP 1.5.2 uses the kernel 2.6.22. You can download it from this site from the knowledge base page. http://developer.cisco.com/web/axp/docs . We recommend that you use AXP 1.5.2 for your development.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

TONY DARGIS Posts: 7 Join Date: 4/7/09 Recent Posts	RE: Q about how to get IPTables working on the AXP aim Answer 3/16/10 12:32 AM as a reply to Brett Tiller. Mark as an Answer Submit Reply with Quote Quick Reply Will AXP 1.5.2 support all AXP hardware? A recent post from Vijay Prasad Neelamegam indicates that the old AIM card is not supported by AXP 1.5.2. Tony
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Brett Tiller Posts: 308 Join Date: 4/9/08 Recent Posts	RE: Q about how to get IPTables working on the AXP Answer 3/16/10 12:36 AM as a reply to TONY DARGIS. Mark as an Answer Submit Reply with Quote Quick Reply AIM is being replaced by AIM2 which is a faster card with more capacity. The AIM2 card is supported on AXP 1.5.x, but not AIM. 1.5.x does support all other previously supported AXP hardware.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Jacek Materna Posts: 19 Join Date: 10/14/09 Recent Posts	RE: Q about how to get IPTables working on the AXP Answer 3/17/10 9:09 PM as a reply to Hielke Hagendoorn. Mark as an Answer Submit Reply with Quote Quick Reply Are you sure the about the 2.6 kernel thing? The AXP-LKM-SDK.1.1.7 comes with kernel-2.6.14.3 in the gplCore directory? Yes you are right. I had FC4 and 2.4 interleaved in my mind, related to early axp loads. The process I suggested should work however.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top