Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

iptables with Debian kernel 2.2.x

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
wmorgan1973
Posts: 4
Joined: 2006-04-18 16:52
Location: N. Virginia

iptables with Debian kernel 2.2.x

#1 Post by wmorgan1973 »

I inherited my brother-in-laws Debian Server in the last year after he passed away at 30. I'm an 8 year user of Solaris, but never had full control of the system.
I tried to start iptables service the other day but it said it couldn't start because of my kernel version. I was going to block google, msn, and other bots that hits the webserver daily. Is updating my kernel really worth the trouble just to block some bots? I'm asking because the system is very stable right now and I haven't upgraded a debian kernel wasn't sure what to expect as far as things that may not work correctly after the update. Is there a way to backout the kernel update if it doesn't work correctly? Also can I use apt-get to upgarde the kernel?

Jeroen
Debian Developer, Site Admin
Debian Developer, Site Admin
Posts: 483
Joined: 2004-04-06 18:19
Location: Utrecht, NL
Contact:

#2 Post by Jeroen »

It's certainly worth it to run a newer kernel, I'd go for 2.6 right away if you're running 'stable' (sarge). Sarge works fine on 2.6.

Upgrading your kernel will change certain things, especially w.r.t. hardware recognition and how that stuff works. In most cases, it shouldn't matter, but you never know. You should be able to apt-get install kernel-image-2.6-<subarch> (where <subarch> can be 'k7' for most amd processors or '686' for pentium and the like, or a lot of others depending on your hardware).

Note that with a standard Debian kernel, you need an initrd, and that might not currently be the case for you. This means getting your boot loader configured correctly. Anyway, yes, you *should* be able to just install it, and roll back to using your current kernel. Replacing a woody (?) installed kernel though can become tricky, so I'd be careful unless you've done so before or don't mind to google etc for how to solve certain issues, and have a boot cd handy.

jjmac
Posts: 384
Joined: 2005-12-28 23:34
Location: Australia

#3 Post by jjmac »

>>
I tried to start iptables service the other day but it said it couldn't start because of my kernel version.
>>

You can have multipe kernels configured in your boot loader. So you don't have to give up an existing one, just to use another.

>>
Is updating my kernel really worth the trouble just to block some bots?
>>

As the kernel progresses so does it's facilities ... scheduling, mem management, scalability, efficiency etc ....

Besides, iptables dosen't work with 2.2.x -=-=- at least i never thought it did.

I think thats more ipchains territory.

Different distro apply their own specialised patches, so a manual build may involve some tracking down of those things. But thats all par for the course really. Once the fetching lcations are established it should just become clockwork.

As a home user i don't have the same imperitives that a server installation would have. My main issue is performance and desktop usability with multiple applications running.

The 2.6 series has been a gem there. And problems ... they have been minimal, but not completely absent.

I'll give a plug for Con Kolivas's "ck" patches, a server version is available too ... but i'm heavily biased in that direction :).

The initial configuration (use a graphical config ... ] $ make help) takes some time, but once an initial config is established and saved ... it can be used as a jump off point for further upgrades. A lot of people forget to save their ".conf" file, or if the do, they leave the "dot" prefix. And a "make mrproper" just wipes it out on them ...., but easily solvable with a saved file.

iptables is really easy to configure too, so i'd say it was well worth it. I don't get any online time, as a home user, without finding a few MySql probes in my "snort" logs. Even though it all seems quite currently, a year or so back it seemed like a probe free for all was going on.

Roll back -=- as mentioned, you can have a number of kernels configured via your loader. So there isn't really much to it there really.

jm
Humpty Dumpty Was Pushed !

Post Reply