Stop Microsoft

Operating Systems => Linux and UNIX => Topic started by: Master of Reality on 9 September 2002, 04:22

Title: modules
Post by: Master of Reality on 9 September 2002, 04:22

i wanna switch from iptables to ipchains (for now) but i cant get iptables removed. I need to remove all the modules associated with iptable_netfilter to do this (?).
When i do 'lsmod'
it lists:

Code: [Select]

I removed the others (rmmod ipt_state ipt_log (etc.))
But i cant remove any of these last four modules with rmmod because each of them says its busy because they are all dependant on eachother. Is there some way to force them to remove?

Title: modules
Post by: voidmain on 9 September 2002, 04:43

No, you don't want to force them.  You need to stop what is using them.  Probably "flush" the chains.

Title: modules
Post by: Master of Reality on 9 September 2002, 04:46

i flushed them several times and deleted any usr made chains:
iptables -F
iptables -X

Title: modules
Post by: voidmain on 9 September 2002, 04:46

Why didn't you just do a:

/etc/rc.d/init.d/iptables stop

Title: modules
Post by: Master of Reality on 9 September 2002, 05:05

see, they dont tell you blatantly obvious things like that in manuals.

Title: modules
Post by: voidmain on 9 September 2002, 15:44

Well, they sorta do, if you find the right manual. This would be a distro specific service call, but I knew you were using RedHat sooo. You might also look at that /etc/rc.d/init.d/iptables script and see exactly what commands are used under the "stop" section. I consider the scripts/code to be documentation as well, you can learn a lot by looking through them.

Title: modules
Post by: Master of Reality on 10 September 2002, 01:01

ok i stopped iptables an unloaded its module, but when i try to
insmod ipchains
it says:
Using /lib/modules/2.4.18-3/kernel/net/ipv4/netfilter/ipchains.o
/lib/modules/2.4.18-3/kernel/net/ipv4/netfilter/ipchains.o: init_module: Device or resource busy

does this mean that there is soemthing using iptables still? I couldnt find very good info on switching from iptables to ipchains (most people switch to iptables from ipchains) when i STFW.

Title: modules
Post by: voidmain on 10 September 2002, 03:40

I just did an "insmod ipchains" without a problem (even though it is better practice to do a "modprobe ipchains").  You must have iptables stuff loaded.  If you make sure iptables service is turned off (/sbin/chkconfig iptables off) and you shut down the service then that should be it.  

Can you paste in a copy of the output of "/sbin/lsmod"? You could always whimp out and reboot but I would never do that.  (http://smile.gif)   Also if you added any other firewall script or modules to your startup scripts (rc.local etc) you'll need to comment them out first.

Title: modules
Post by: Master of Reality on 10 September 2002, 03:47

i dont need to restart... couldnt i just go down to runlevel 1 where all the internet stuff is turned off and then back up to init 3?

Title: modules
Post by: voidmain on 10 September 2002, 03:49

Can you post your module list from "lsmod"?

Title: modules
Post by: Master of Reality on 10 September 2002, 03:58

[root@server root]# lsmod
Module                  Size  Used by    Not tainted
ipt_LOG                 4576   0  (autoclean)
ipt_limit               1824   0  (autoclean)
iptable_filter          2624   0  (autoclean)
ip_tables              13536   3  [ipt_LOG ipt_limit iptable_filter]
nfsd                   74560   0  (autoclean)
lockd                  55584   0  (autoclean) [nfsd]
sunrpc                 73812   0  (autoclean) [nfsd lockd]
ufs                    54464   0  (autoclean)
nls_iso8859-1           3456   0  (autoclean)
nls_cp437               5088   0  (autoclean)
vfat                   11452   0  (autoclean)
fat                    36440   0  (autoclean) [vfat]
autofs                 11940   0  (autoclean) (unused)
pcnet32                16096   1
8139too                16768   1
mii                     2280   0  [pcnet32 8139too]
ide-cd                 29856   0  (autoclean)
cdrom                  33184   0  (autoclean) [ide-cd]
usb-uhci               23492   0  (unused)
usbcore                71168   1  [usb-uhci]
ext3                   64448   1
jbd                    47608   1  [ext3]

Title: modules
Post by: voidmain on 10 September 2002, 04:30

You need to unload the modules shown in the brackets [] before you can unload the main modules.

I would suggest this:

# /etc/rc.d/init.d/iptables stop
# rmmod -a
# rmmod ipt_LOG
# rmmod ipt_limit
# rmmod iptable_filter
# rmmod ip_tables
# modprobe ipchains

It "should" work.

Title: modules
Post by: Master of Reality on 10 September 2002, 04:34

what (if anything) do i need to change in order to start ipchains at startup and not iptables?

[ September 09, 2002: Message edited by: Master of Reality / Bob ]

Title: modules
Post by: voidmain on 10 September 2002, 04:38

If you want to use your own custom script and not do it the RedHat way then I would not use either the "ipchains" or "iptables" service scripts.  However, now might be a good time to convert to the RedHat way.  

The new RedHat way is to put your ipchains rules in "/etc/sysconfig/ipchains" and of course you would want to "chkconfig ipchains on" and if you don't want to reboot "/etc/rc.d/init.d/ipchains start" to load the ipchains modules and load the rules from "/etc/sysconfig/ipchains".  

I would think there should be a document on RedHat's web site describing this file and an example.

Title: modules
Post by: Master of Reality on 10 September 2002, 04:41

would that be instead of creating a script and putting it in /etc/rc.d/init.d and then adding it to rc.local?

Title: modules
Post by: voidmain on 10 September 2002, 04:44

Exactly.  You would forget everything I told you before about a custom script that is called from rc.local. All configuration would be done in /etc/sysconfig/ipchains.  I would look for an example on RedHat first though so you know the syntax...  If you want to use the old way of calling your custom script from rc.local then you want to make sure both the ipchains and iptables services are turned off.