modules

[Master of Reality]

i wanna switch from iptables to ipchains (for now) but i cant get iptables removed. I need to remove all the modules associated with iptable_netfilter to do this (?).
When i do 'lsmod'
it lists:

Code: [Select]

I removed the others (rmmod ipt_state ipt_log (etc.))
But i cant remove any of these last four modules with rmmod because each of them says its busy because they are all dependant on eachother. Is there some way to force them to remove?

[voidmain]

No, you don't want to force them.  You need to stop what is using them.  Probably "flush" the chains.

[Master of Reality]

i flushed them several times and deleted any usr made chains:
iptables -F
iptables -X

[voidmain]

Why didn't you just do a:

/etc/rc.d/init.d/iptables stop

[Master of Reality]

see, they dont tell you blatantly obvious things like that in manuals.

[voidmain]

Well, they sorta do, if you find the right manual. This would be a distro specific service call, but I knew you were using RedHat sooo. You might also look at that /etc/rc.d/init.d/iptables script and see exactly what commands are used under the "stop" section. I consider the scripts/code to be documentation as well, you can learn a lot by looking through them.

[Master of Reality]

ok i stopped iptables an unloaded its module, but when i try to
insmod ipchains
it says:
Using /lib/modules/2.4.18-3/kernel/net/ipv4/netfilter/ipchains.o
/lib/modules/2.4.18-3/kernel/net/ipv4/netfilter/ipchains.o: init_module: Device or resource busy

does this mean that there is soemthing using iptables still? I couldnt find very good info on switching from iptables to ipchains (most people switch to iptables from ipchains) when i STFW.

[voidmain]

I just did an "insmod ipchains" without a problem (even though it is better practice to do a "modprobe ipchains").  You must have iptables stuff loaded.  If you make sure iptables service is turned off (/sbin/chkconfig iptables off) and you shut down the service then that should be it.  

Can you paste in a copy of the output of "/sbin/lsmod"? You could always whimp out and reboot but I would never do that.     Also if you added any other firewall script or modules to your startup scripts (rc.local etc) you'll need to comment them out first.

[Master of Reality]

i dont need to restart... couldnt i just go down to runlevel 1 where all the internet stuff is turned off and then back up to init 3?

[voidmain]

Can you post your module list from "lsmod"?

[Master of Reality]

[root@server root]# lsmod
Module                  Size  Used by    Not tainted
ipt_LOG                 4576   0  (autoclean)
ipt_limit               1824   0  (autoclean)
iptable_filter          2624   0  (autoclean)
ip_tables              13536   3  [ipt_LOG ipt_limit iptable_filter]
nfsd                   74560   0  (autoclean)
lockd                  55584   0  (autoclean) [nfsd]
sunrpc                 73812   0  (autoclean) [nfsd lockd]
ufs                    54464   0  (autoclean)
nls_iso8859-1           3456   0  (autoclean)
nls_cp437               5088   0  (autoclean)
vfat                   11452   0  (autoclean)
fat                    36440   0  (autoclean) [vfat]
autofs                 11940   0  (autoclean) (unused)
pcnet32                16096   1
8139too                16768   1
mii                     2280   0  [pcnet32 8139too]
ide-cd                 29856   0  (autoclean)
cdrom                  33184   0  (autoclean) [ide-cd]
usb-uhci               23492   0  (unused)
usbcore                71168   1  [usb-uhci]
ext3                   64448   1
jbd                    47608   1  [ext3]

[voidmain]

You need to unload the modules shown in the brackets [] before you can unload the main modules.

I would suggest this:

# /etc/rc.d/init.d/iptables stop
# rmmod -a
# rmmod ipt_LOG
# rmmod ipt_limit
# rmmod iptable_filter
# rmmod ip_tables
# modprobe ipchains

It "should" work.

[Master of Reality]

what (if anything) do i need to change in order to start ipchains at startup and not iptables?

[ September 09, 2002: Message edited by: Master of Reality / Bob ]

[voidmain]

If you want to use your own custom script and not do it the RedHat way then I would not use either the "ipchains" or "iptables" service scripts.  However, now might be a good time to convert to the RedHat way.  

The new RedHat way is to put your ipchains rules in "/etc/sysconfig/ipchains" and of course you would want to "chkconfig ipchains on" and if you don't want to reboot "/etc/rc.d/init.d/ipchains start" to load the ipchains modules and load the rules from "/etc/sysconfig/ipchains".  

I would think there should be a document on RedHat's web site describing this file and an example.

[Master of Reality]

would that be instead of creating a script and putting it in /etc/rc.d/init.d and then adding it to rc.local?