Jump to content

Armbian Buster problems with iptables and ipset (SOLVED)


counterpoint

Recommended Posts

I am setting up a new Odroid HC1 and have installed Armbian Buster from https://www.armbian.com/odroid-hc1/.

 

Attempting to run iptables, I first had the problem:

iptables/1.8.2 Failed to initialize nft: Protocol not supported

Attempting to use legacy, I used the command:

update-alternatives --set iptables /usr/sbin/iptables-legacy

But then had the error:

modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.14.180-odroidxu4/modules.dep.bin'
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/4.14.180-odroidxu4
iptables v1.8.2 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

This leaves me rather stuck! In my firewall, I make extensive use of ipset. But that also seems to have a problem:

ipset v6.38: Cannot open session to kernel.

Are these problems soluble?

Link to comment
Share on other sites

This is odd.. as whenlooking at the kernel config used iptables modules are there.  Debian buster does use nftables, so there most be some underlying issues.   maybee reinstall iptables-legacy package and reboot before setting alternative?

what does this command return?

 

find /lib/modules/|fgrep -i tables


also please run and share link for 

sudo armbianmonitor -u

 

Link to comment
Share on other sites

Thanks very much. Sorry for the slow response - I'm only allowed one post per 24 hours. I seem to have a solution. As mentioned above, I took the image from https://www.armbian.com/odroid-hc1/

 

To be more specific, I used the one with the large image at the right hand side of the page, just below the picture of an HC1. Looking more carefully, it uses kernel 4.14.y. Not being knowledgeable about kernel versions, I assumed that the highlighted image was the best to use. However, I later looked down the page, and tried using the download link https://dl.armbian.com/odroidxu4/Buster_current_minimal which uses kernel 5.4. Why would people prefer an old kernel? Anyway, everything seems to work as I would expect with no need for selecting legacy elements or anything unusual.

 

With the other image, I was not able to find a package called iptables-legacy, only one called iptables. Reinstalling it and rebooting didn't make a difference.

 

In case they are still of interest, the answers to your questions are:

root@backup:~# find /lib/modules/|fgrep -i tables
/lib/modules/4.14.187-odroidxu4/kernel/net/ipv6/netfilter/nf_tables_ipv6.ko
/lib/modules/4.14.187-odroidxu4/kernel/net/ipv6/netfilter/ip6_tables.ko
/lib/modules/4.14.187-odroidxu4/kernel/net/ipv4/netfilter/nf_tables_ipv4.ko
/lib/modules/4.14.187-odroidxu4/kernel/net/ipv4/netfilter/ip_tables.ko
/lib/modules/4.14.187-odroidxu4/kernel/net/ipv4/netfilter/arp_tables.ko
/lib/modules/4.14.187-odroidxu4/kernel/net/ipv4/netfilter/nf_tables_arp.ko
/lib/modules/4.14.187-odroidxu4/kernel/net/netfilter/nf_tables_netdev.ko
/lib/modules/4.14.187-odroidxu4/kernel/net/netfilter/nf_tables.ko
/lib/modules/4.14.187-odroidxu4/kernel/net/netfilter/nf_tables_inet.ko
/lib/modules/4.14.187-odroidxu4/kernel/net/bridge/netfilter/ebtables.ko
/lib/modules/4.14.187-odroidxu4/kernel/net/bridge/netfilter/nf_tables_bridge.ko

root@backup:~# armbianmonitor -u
System diagnosis information will now be uploaded to http://ix.io/2rqQ

 

Link to comment
Share on other sites

root@mips24k:~# find /lib/modules/|fgrep -i tables
/lib/modules/5.4.51/ip6_tables.ko
/lib/modules/5.4.51/ip_tables.ko
/lib/modules/5.4.51/nf_tables.ko
/lib/modules/5.4.51/nf_tables_set.ko
/lib/modules/5.4.51/x_tables.ko

everything here seems to be fine...

 

Link to comment
Share on other sites

7 hours ago, counterpoint said:

Thanks, yes. It appears you are using a 5.4.51 kernel. I don't have a problem with that image. The thing that has left me puzzled is why the most prominently featured Buster image has a 4.14.187 kernel.   (Page at https://www.armbian.com/odroid-hc1/)

At the time the page was adjusted last time the unmodified kernel directly from Odroid did the best for this board. Maybe this has changed meanwhile, maybe not. Newer kernels have other issues that might be more severe than missing a few iptables modules. Also there might be a chance to adjust the 4.14 kernel via the build-system as well and add those modules by yourself.

Anyway I do not think that this will be fixed by Armbian since it would be no real "stock" kernel anymore :lol:

Link to comment
Share on other sites

Thanks, Werner. My original problem was more severe than just a missing iptables module. So far as I could tell, iptables was completely unusable. And so was ipset. Since those are essential to the way I set up servers, I just couldn't use that version unless those problems could be solved. Unfortunately, I've not seen anything that solves either problem.

 

This is my second Odroid HC1 and the first one was built with the recommended Debian 9 image. That didn't have any of these problems and has been in use for some while. But Debian 9 is getting old now, and didn't seem a sensible choice for a new server.

 

Thanks also to xwiggen. I'm not clear what exactly that would achieve. I'd try it, but right now I don't have a test machine, as the new HC1 is running a live system and the old one has Debian Bullseye installed as an experiment.

Link to comment
Share on other sites

8 hours ago, counterpoint said:

But Debian 9 is getting old now, and didn't seem a sensible choice for a new server.

Depends on how you use it. If you keep it that way you will have peace for the next two years since Stretch is in LTS stated and will be supported until June 30, 2022.

Link to comment
Share on other sites

13 hours ago, counterpoint said:

Thanks, Werner. My original problem was more severe than just a missing iptables module. So far as I could tell, iptables was completely unusable. And so was ipset. Since those are essential to the way I set up servers, I just couldn't use that version unless those problems could be solved. Unfortunately, I've not seen anything that solves either problem.

 

This is my second Odroid HC1 and the first one was built with the recommended Debian 9 image. That didn't have any of these problems and has been in use for some while. But Debian 9 is getting old now, and didn't seem a sensible choice for a new server.

 

Thanks also to xwiggen. I'm not clear what exactly that would achieve. I'd try it, but right now I don't have a test machine, as the new HC1 is running a live system and the old one has Debian Bullseye installed as an experiment.

nfnetlink is the comms between userspace iptables/ipset and kernel

Link to comment
Share on other sites

Thanks for the various suggestions. I now have the solution to the problem.

 

Perhaps my original question misled. I was creating a server that was new in the sense of being freshly created from scratch. The hardware was an HC1 that had been in use for a while for a slightly different purpose. The SSD was new, as was the SD card and the Buster image.

 

I have also created a Debian 10 server for another purpose on a brand new HC1. It surprised me to find that I could install the Buster image prominently displayed on https://www.armbian.com/odroid-hc1/ and have ipset and iptables work without issues. Eventually it dawned on me that there must be a difference in the hardware.

 

Updating the firmware of the older HC1 changed the situation. The Buster image with the 4.14.y kernel then worked with no issues for ipset or iptables. Evidently the older HC1 was not immediately compatible with Debian 10 Buster.

Link to comment
Share on other sites

  • counterpoint changed the title to Armbian Buster problems with iptables and ipset (SOLVED)
This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines