7.38. ( IPCHAINS rulesets on 2.4.x kernels ) - What the ipchains.o module can do on 2.4.x kernels

Some people would like to continue using their legacy IPCHAINS rulesets on 2.4.x-based kernelw. Unfortunately, unless you are only doing packet firewalling and not trying to do any NATing (MASQ), PORTFW, or other advanced features, you're in trouble.

• If you ARE only doing IPCHAINS filtering, all you need to do is unload all IPTABLES modules shown from the "/sbin/lsmod" command. After that, load the IPCHAINS module by running "/sbin/modprobe ipchains". After that, load your IPCHAINS ruleset as normal.

  • Please note that if you compiled IPTABLES support statically into the kernel, you CANNOT load the "ipchains" module (it shouldn't be even present) as it will conflict with the IPTABLES kernel code. Your ONLY option in this case is to recompile your kernel but make the IPTABLES and IPCHAINS options as modules.

So why can't you run IPCHAINS MASQ/PORTFW functionality with a 2.4.x kernel? Once the IPCHAINS module is loaded, you CANNOT use any IPTABLES commands or modules since the code conflicts. In addition to this, you cannot use any legacy 2.2.x IPCHAINS masq modules on a 2.4.x kernel as the kernels are so radically different. Plus, this really shouldn't be an issue as all of this functionality is available via native IPTABLES modules now. Finally, you cannot use the IPMASQADM tool with a 2.4.x kernel as the program both won't compile and ultimately the PORTFW kernel handlers aren't present anymore (it's now done natively by the IPTABLES code). So, considering all of these facts:

• You cannot run any form of PORTFW on this 2.4.x machine

• Protocols that require special handling like FTP, IRC, CuSeeme, RealAudio, etc. will no longer work

Basically, the ipchains kernel module included with the 2.4.x kernels is intended for basic packet firewall compatibility and NOT any NAT(MASQ) functionality.