| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
Hi.
I have an shell script, which starts my iptables rules. The script loads all neccessary kernel modules manually so that this could not be the problem. There is only one chain, which doesn't work in a correct way: *** [root]# /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables: Invalid argument *** Which argument is invalid? I don't understand... Please help me  I added my script at the end. Thank you... If you want to see the verbose message: *** [root]# /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE -vv MASQUERADE all opt -- in * out ppp0 0.0.0.0/0 -> 0.0.0.0/0 libiptc v1.2.8. 5 entries, 788 bytes. Table `nat' Hooks: pre/in/fwd/out/post = 0/0/0/464/148 Underflows: pre/in/fwd/out/post = 0/0/0/464/316 Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 165 packets, 9928 bytes Cache: 00000000 Target name: `' [36] verdict=NF_ACCEPT Entry 1 (148): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `ppp0'/XXXXX........... Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00004008 UNKNOWN IP_IF_OUT Target name: `MASQUERADE' [56] Entry 2 (316): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 19 packets, 1906 bytes Cache: 00000000 Target name: `' [36] verdict=NF_ACCEPT Entry 3 (464): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 19 packets, 1906 bytes Cache: 00000000 Target name: `' [36] verdict=NF_ACCEPT Entry 4 (612): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `ERROR' [64] error=`ERROR' iptables: Invalid argument *** My script: *** #!/bin/sh IPTABLES=/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe EXTIF="ppp0" INTIF="eth0" $DEPMOD -a $MODPROBE ip_tables $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp $MODPROBE ip_conntrack_irc $MODPROBE iptable_nat $MODPROBE ip_nat_ftp echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr Any=0.0.0.0/0 echo "Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo "Allow all connections IN on internal interfaces and loopback" $IPTABLES -t filter -A INPUT -s $Any -d $Any -i eth0 -j ACCEPT $IPTABLES -t filter -A INPUT -s $Any -d $Any -i lo -j ACCEPT echo "FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -t filter -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t filter -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -t filter -A FORWARD -j LOG echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE *** |
|
|
|
|||
|
|
| |
|
Guest
Posts: n/a
|
Richard Wilhelm wrote:
> Hi. > > I have an shell script, which starts my iptables rules. > The script loads all neccessary kernel modules manually so that this > could not be the problem. > > There is only one chain, which doesn't work in a correct way: > > *** > > [root]# /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > iptables: Invalid argument > > *** > > Which argument is invalid? I don't understand... > Please help me > I added my script at the end. > > Thank you... > > If you want to see the verbose message: > > *** > > [root]# /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE -vv > > MASQUERADE all opt -- in * out ppp0 0.0.0.0/0 -> 0.0.0.0/0 > libiptc v1.2.8. 5 entries, 788 bytes. > Table `nat' > Hooks: pre/in/fwd/out/post = 0/0/0/464/148 > Underflows: pre/in/fwd/out/post = 0/0/0/464/316 > Entry 0 (0): > SRC IP: 0.0.0.0/0.0.0.0 > DST IP: 0.0.0.0/0.0.0.0 > Interface: `'/................to `'/................ > Protocol: 0 > Flags: 00 > Invflags: 00 > Counters: 165 packets, 9928 bytes > Cache: 00000000 > Target name: `' [36] > verdict=NF_ACCEPT > > Entry 1 (148): > SRC IP: 0.0.0.0/0.0.0.0 > DST IP: 0.0.0.0/0.0.0.0 > Interface: `'/................to `ppp0'/XXXXX........... > Protocol: 0 > Flags: 00 > Invflags: 00 > Counters: 0 packets, 0 bytes > Cache: 00004008 UNKNOWN IP_IF_OUT > Target name: `MASQUERADE' [56] > > Entry 2 (316): > > SRC IP: 0.0.0.0/0.0.0.0 > DST IP: 0.0.0.0/0.0.0.0 > Interface: `'/................to `'/................ > Protocol: 0 > Flags: 00 > Invflags: 00 > Counters: 19 packets, 1906 bytes > Cache: 00000000 > Target name: `' [36] > verdict=NF_ACCEPT > > Entry 3 (464): > SRC IP: 0.0.0.0/0.0.0.0 > DST IP: 0.0.0.0/0.0.0.0 > Interface: `'/................to `'/................ > Protocol: 0 > Flags: 00 > Invflags: 00 > Counters: 19 packets, 1906 bytes > Cache: 00000000 > Target name: `' [36] > verdict=NF_ACCEPT > > Entry 4 (612): > SRC IP: 0.0.0.0/0.0.0.0 > DST IP: 0.0.0.0/0.0.0.0 > Interface: `'/................to `'/................ > Protocol: 0 > Flags: 00 > Invflags: 00 > Counters: 0 packets, 0 bytes > Cache: 00000000 > Target name: `ERROR' [64] > error=`ERROR' > > iptables: Invalid argument > > *** > > My script: > > *** > > #!/bin/sh > > IPTABLES=/sbin/iptables > DEPMOD=/sbin/depmod > MODPROBE=/sbin/modprobe > > EXTIF="ppp0" > INTIF="eth0" > > $DEPMOD -a > > $MODPROBE ip_tables > $MODPROBE ip_conntrack > $MODPROBE ip_conntrack_ftp > $MODPROBE ip_conntrack_irc > $MODPROBE iptable_nat > $MODPROBE ip_nat_ftp > > echo "1" > /proc/sys/net/ipv4/ip_forward > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > Any=0.0.0.0/0 > > echo "Clearing any existing rules and setting default policy.." > $IPTABLES -P INPUT ACCEPT > $IPTABLES -F INPUT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -F OUTPUT > $IPTABLES -P FORWARD DROP > $IPTABLES -F FORWARD > $IPTABLES -t nat -F > > echo "Allow all connections IN on internal interfaces and loopback" > $IPTABLES -t filter -A INPUT -s $Any -d $Any -i eth0 -j ACCEPT > $IPTABLES -t filter -A INPUT -s $Any -d $Any -i lo -j ACCEPT > > echo "FWD: Allow all connections OUT and only existing and related > ones IN" > $IPTABLES -t filter -A FORWARD -i $EXTIF -o $INTIF -m state --state > ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -t filter -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > $IPTABLES -t filter -A FORWARD -j LOG > > echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF" > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > *** I've set up a few of these andit looks like this should be the script you want to have.  it will allow all outgoing trafic from inside your network, and the incomming trafic related to that traffic that was sent out. All other trafic through the firewall is by default blocked. You may also want to do this. replacing the ip address and netmask with that of your network $IPTABLE -t FORWARD -i 192.168.0.0/255.255.255.0 -i $EXTIF -j DROP that will block spoofers, and then you may want to add filtering to your input chain and make sure your hosts.allow and hosts.deny files are up to date. Matt # FWVER=12.01.03 # # -IP Masquerade for iptables # echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" IPTABLES=/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe EXTIF="pppo" INTIF="eth0" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" echo " OTHER Internal Interface $INTIFB" echo -en "loading modules: " echo -en "verifying all kernal modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "ip_conntrack, " $MODPROBE ip_conntrack echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp echo -e "ip_nat_irc" $MODPROBE ip_nat_irc echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall v$FWVER done.\n" |
|
|
|
|
|||
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| iptables + openvpn + masquerading | Diaphragm | Linux Networking | 1 | 06-04-2008 09:16 AM |
| iptables and masquerading - slow to initiate connection | Rob | Linux Networking | 5 | 08-21-2004 01:44 PM |
| Probleme mit debian woody, iptables, masquerading | Marc Willmann | Linux Networking | 0 | 02-12-2004 06:05 PM |
| Multihomed Masquerading, routing and iptables | Gordan Bobic | Linux Networking | 0 | 12-31-2003 10:32 AM |
| Iptables masquerading buggy? | Joe Luzman | Linux Networking | 0 | 10-02-2003 01:01 AM |
Linear Mode
