From: "Chris Kloiber" <ckloiber@ckloiber.com> > On Sun, 2003-01-05 at 15:40, Tommy McNeely wrote: > > > > my question.. which everyone keeps sorta dancing around :) > > > > is how do I make it load automatically at system boot time... will just > > specifying the options in /etc/modules.conf work for me? .. i see > > something about /etc/rc.modules in the /etc/rc.sysinit ?? or is there > > something like /etc/modules.autoload ?? > > For some reason, ip_conntrack_ftp doesn't load itself automatically. You > can make an /etc/rc.modules that contains "modprobe ip_conntrack_ftp" if > you wish (make sure it's executable, and writable only by root), or you > can put it in rc.local, or you can have your custom iptables script load > it when necessary. Your choice. > Chris, this is what my iptables script looks like before it sets up rules: --8<-- #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then $INSMOD ip_conntrack fi #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -e "ip_conntrack_ftp, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then $INSMOD ip_conntrack_ftp fi #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en " ip_conntrack_irc, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then $INSMOD ip_conntrack_irc fi #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then $INSMOD iptable_nat fi #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -e "ip_nat_ftp" # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then $INSMOD ip_nat_ftp fi echo " ---" # Just to be complete, here is a list of the remaining kernel modules # and their function. Please note that several modules should be only # loaded by the correct master kernel module for proper operation. # -------------------------------------------------------------------- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # # iptable_mangle - this target allows for packets to be manipulated # for things like the TCPMSS option, etc. --8<-- This is from: --8<-- # # rc.firewall-2.4-stronger FWVER=0.75s # An example of a stronger IPTABLES firewall with IP Masquerade # support for 2.4.x kernels. # --8<-- This is the ipmasquerade example stronger firewall for 2.4 iptables. I found that firewall to be an excellent starter for what I needed here. All people asking this sort of question would be well advised to visit http://ipmasq.cjb.net/ and seriously look around. It is a great site. The other "of course" site is http://www.netfilter.org/, of course. {^_^} -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list