From: "Chris Kloiber" <[EMAIL PROTECTED]>

> On Sun, 2003-01-05 at 15:40, Tommy McNeely wrote:
> > 
> > my question.. which everyone keeps sorta dancing around :)
> > 
> > is how do I make it load automatically at system boot time... will just
> > specifying the options in /etc/modules.conf work for me? .. i see
> > something about /etc/rc.modules in the /etc/rc.sysinit ?? or is there
> > something like /etc/modules.autoload ??
> For some reason, ip_conntrack_ftp doesn't load itself automatically. You
> can make an /etc/rc.modules that contains "modprobe ip_conntrack_ftp" if
> you wish (make sure it's executable, and writable only by root), or you
> can put it in rc.local, or you can have your custom iptables script load
> it when necessary. Your choice.

Chris, this is what my iptables script looks like before it sets up rules:
#Load the stateful connection tracking framework - "ip_conntrack"
# The conntrack  module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#  - This module is loaded automatically when MASQ functionality is
#    enabled
#  - Loaded manually to clean up kernel auto-loading timing issues
echo -en "ip_conntrack, "
#Verify the module isn't loaded.  If it is, skip it
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack

#Load the FTP tracking mechanism for full FTP tracking
# Enabled by default -- insert a "#" on the next line to deactivate
echo -e "ip_conntrack_ftp, "
#Verify the module isn't loaded.  If it is, skip it
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_ftp

#Load the IRC tracking mechanism for full IRC tracking
# Enabled by default -- insert a "#" on the next line to deactivate
echo -en "                             ip_conntrack_irc, "
#Verify the module isn't loaded.  If it is, skip it
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_irc

#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
#  - Loaded manually to clean up kernel auto-loading timing issues
echo -en "iptable_nat, "
#Verify the module isn't loaded.  If it is, skip it
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $INSMOD iptable_nat

#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
# Enabled by default -- insert a "#" on the next line to deactivate
echo -e "ip_nat_ftp"
#Verify the module isn't loaded.  If it is, skip it
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_nat_ftp

echo "  ---"

# Just to be complete, here is a list of the remaining kernel modules
# and their function.  Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#    ipt_mark       - this target marks a given packet for future action.
#                     This automatically loads the ipt_MARK module
#    ipt_tcpmss     - this target allows to manipulate the TCP MSS
#                     option for braindead remote firewalls.
#                     This automatically loads the ipt_TCPMSS module
#    ipt_limit      - this target allows for packets to be limited to
#                     to many hits per sec/min/hr
#    ipt_multiport  - this match allows for targets within a range
#                     of port numbers vs. listing each port individually
#    ipt_state      - this match allows to catch packets with various
#                     IP and TCP flags set/unset
#    ipt_unclean    - this match allows to catch packets that have invalid
#                     IP/TCP flags set
#    iptable_filter - this module allows for packets to be DROPped,
#                     REJECTed, or LOGged.  This module automatically
#                     loads the following modules:
#                     ipt_LOG - this target allows for packets to be
#                               logged
#                     ipt_REJECT - this target DROPs the packet and returns
#                                  a configurable ICMP packet back to the
#                                  sender.
#    iptable_mangle - this target allows for packets to be manipulated
#                     for things like the TCPMSS option, etc.
This is from:
# rc.firewall-2.4-stronger

#          An example of a stronger IPTABLES firewall with IP Masquerade
#          support for 2.4.x kernels.

This is the ipmasquerade example stronger firewall for 2.4 iptables. I
found that firewall to be an excellent starter for what I needed here. All
people asking this sort of question would be well advised to visit and seriously look around. It is a great site. The
other "of course" site is, of course.


Psyche-list mailing list

Reply via email to