Hi Ckleea,

Yes iptables is on the way.

Cheers
Dimitar

Perhaps, you may try manually add the rules to the file.
I am compiling the latest firmware and not yet able to test iptables. But really look forward to see a working version.

On the way, I only use an atom pc to compile. Will need to take sometimes to finish.

I have the same error as Florian. I can't find netfilter

Hi Guys

I can confirm that iptables is working in rev 431 on IP02.

Thanks
Jason

No problem thanks for supporting and using SwitchFin.

Thanks
Jason

Works great with basic iptables rules. But when I try to insert custom rules like :

root@ip0x:~> iptables -i eth0 -A INPUT -p udp -s 212.27.52.5 --sport 5060 -m length --length 60 -j DROP
iptables: No chain/target/match by that name.

it doesn't work...

Finality is to avoid this log message in asterisk : "chan_sip.c:7338 determine_firstline_parts: Bad request protocol Packet" every second...

Do people have same problem ?

Thanks.
Florian

Hi,

My SIP provider is a french provider who doesn't use SIP/2.0 and logs were inconveniant.

I compiled a new image and manualy add CONFIG_NETFILTER_ADVANCED and CONFIG_NETFILTER_XT_MATCH_LENGTH.

Everything's ok for this features now

Thanx for debugging.
Florian

Hi Gilles

I have just updated the GUI and added an iptables manager to compile please follow the below instructions.

First of all you want to delete you build_ip0x dir this will ensure a completely fresh make. 

Next run make menuconfig
Select "Package Selection for the target"
Select "iptables"
Select "Exit"
Select "Exit" again and "yes" to saving your configs
run "make" then "make image"

iptables should be installed in your newly created uImage, The GUI is set to update its self on every "make" so iptables should be in it to.

Any rules added in the GUI will get saved to "/etc/sysconfig/iptables" after clicking the "Apply/Run Rules" button.

you will have to add "iptables-restore /etc/sysconfig/iptables" to the /etc/init.d/network script to make sure the rules are loaded every boot.

Thanks
Jason

Hi Gilles

You only need to enable CONFIG_NETFILTER_ADVANCED and CONFIG_NETFILTER_XT_MATCH_LENGTH if you want advanced iptables, for standard firewalling (port/ip/protocol) you should be fine.

Thanks
Jason

Hi,

I think I manually add those advanced settings by editing file package/iptables/config.iptables and set options I need to "y". Then compiling let me choice for other options.

I'm not sure of this because I use asterisk 1.6 which doesn't need Cirpak exclusion.

Tell me if this doesn't work for you i will try by myself again.

Florian

Thanks for the clarification.

However, after editing config.iptables to add the two line, and running "make", I'm prompted to validate every single option!

Here's what I did:

rm -Rf /usr/src/switchfin
svn co https://switchfin.svn.sourceforge.net/s … fin/trunk/ switchfin
=> release 503
   
make menuconfig > Package Selection for the target: select iptables

vi package/iptables/config.iptables, and those two lines:
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y

And when running "make":
...
Enable the memory protection unit (EXPERIMENTAL) (MPU) [N/y/?] n
Netfilter NFQUEUE over NFNETLINK interface (NETFILTER_NETLINK_QUEUE) [N/m/y/?] (NEW)
etc.

What does "make" prompt the user for this, and how to avoid it?

FWIW, this doesn't occur when I leave config.iptables alone.

Thank you.

Right, but I'm prompted a bazillion times, so it's going to take a long time going through the list.

Nobody knows why make decides to prompt for each option simply after adding some manually?

Thanks Jason. Using the above, we end up being prompted for a very big number of options:

www.pastebin.com/ECRNJBsi

Using the following options in config.iptables answers all the prompts, although I probably don't need most options but don't have the knowledge to know which are required and which arent:

CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CT_PROTO_DCCP=y
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_CT_PROTO_UDPLITE=y
CONFIG_NF_CONNTRACK_AMANDA=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_H323=y
CONFIG_NF_CONNTRACK_IRC=y
CONFIG_NF_CONNTRACK_NETBIOS_NS=y
CONFIG_NF_CONNTRACK_PPTP=y
CONFIG_NF_CONNTRACK_SANE=y
CONFIG_NF_CONNTRACK_SIP=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NF_CT_NETLINK=y
CONFIG_NETFILTER_TPROXY=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_DSCP=y
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
CONFIG_NETFILTER_XT_TARGET_RATEEST=y
CONFIG_NETFILTER_XT_TARGET_TPROXY=y
CONFIG_NETFILTER_XT_TARGET_TRACE=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_DCCP=y
CONFIG_NETFILTER_XT_MATCH_DSCP=y
CONFIG_NETFILTER_XT_MATCH_ESP=y
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
CONFIG_NETFILTER_XT_MATCH_HELPER=y
CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_NETFILTER_XT_MATCH_OWNER=y
CONFIG_NETFILTER_XT_MATCH_POLICY=y
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
CONFIG_NETFILTER_XT_MATCH_QUOTA=y
CONFIG_NETFILTER_XT_MATCH_RATEEST=y
CONFIG_NETFILTER_XT_MATCH_REALM=y
CONFIG_NETFILTER_XT_MATCH_RECENT=y
CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT=y
CONFIG_NETFILTER_XT_MATCH_SCTP=y
CONFIG_NETFILTER_XT_MATCH_SOCKET=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
CONFIG_NETFILTER_XT_MATCH_STRING=y
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_TIME=y
CONFIG_NETFILTER_XT_MATCH_U32=y