[iptables] sparc64, NAT and MASQUERADE

Hello,

I'm trying to use iptables on a ULTRASparc U60 (smp) without any
success. I use the same version of iptables on several i386, an
U420R (kernel 2.4 SMP) and an U1E with succes...

Root bohr:[~] > lsmod
Module Size Used by
iptable_mangle 3328 0
autofs4 18632 1
ipt_TCPMSS 4800 0
ipt_tcpmss 3008 0
ipt_MASQUERADE 3844 1
iptable_nat 8708 1
ip_nat 20824 2 ipt_MASQUERADE,iptable_nat
ip_conntrack 60264 3 ipt_MASQUERADE,iptable_nat,ip_nat
iptable_filter 3392 0
ip_tables 21184 6
iptable_mangle,ipt_TCPMSS,ipt_tcpmss,ipt_MASQUERAD E,iptable_nat,iptable_filter
sg 33720 0
sr_mod 16940 0
cdrom 40880 1 sr_mod
usblp 12928 0
parport_pc 39816 0
parport 41688 1 parport_pc
Root bohr:[~] > iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Root bohr:[~] > iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Root bohr:[~] > cat /proc/sys/net/ipv4/ip_forward
1
Root bohr:[~] >

192.168.0.100 is a i386 workstation. Its default gateway is
192.168.0.128.

192.168.0.128 is the second ethernet interface of my U60. Address of the
first one is 10.0.0.1 and is used to be the support of ppp0.

When I try to ping www.kernel.org from 192.168.0.200. I can see :
Root bohr:[~] > tcpdump -i eth1 proto ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
18:04:56.333172 IP 192.168.0.100 > zeus-pub1.kernel.org: ICMP echo
request, id 53550, seq 13056, length 64
18:04:57.337379 IP 192.168.0.100 > zeus-pub1.kernel.org: ICMP echo
request, id 53550, seq 13312, length 64
18:04:58.341366 IP 192.168.0.100 > zeus-pub1.kernel.org: ICMP echo
request, id 53550, seq 13568, length 64
18:04:59.345455 IP 192.168.0.100 > zeus-pub1.kernel.org: ICMP echo
request, id 53550, seq 13824, length 64

4 packets captured
8 packets received by filter
0 packets dropped by kernel
Root bohr:[~] > tcpdump -i ppp0 proto ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96
bytes
18:05:36.501017 IP bohr.systella.fr > zeus-pub1.kernel.org: ICMP echo
request, id 53550, seq 23296, length 64
18:05:36.712653 IP zeus-pub1.kernel.org > bohr.systella.fr: ICMP echo
reply, id 53550, seq 23296, length 64
18:05:37.505105 IP bohr.systella.fr > zeus-pub1.kernel.org: ICMP echo
request, id 53550, seq 23552, length 64
18:05:37.717251 IP zeus-pub1.kernel.org > bohr.systella.fr: ICMP echo
reply, id 53550, seq 23552, length 64
18:05:38.509186 IP bohr.systella.fr > zeus-pub1.kernel.org: ICMP echo
request, id 53550, seq 23808, length 64
18:05:38.723250 IP zeus-pub1.kernel.org > bohr.systella.fr: ICMP echo
reply, id 53550, seq 23808, length 64

6 packets captured
12 packets received by filter
0 packets dropped by kernel
Root bohr:[~] >

Thus, all paquets taht come from 192.168.0.100 are routed by ppp0.
www.kernel.org answers to my ping, but my U60 doesn't transmet the
incoming paquet to 192.168.0.100. Why ? Any idea ?

Regards,

JKB

On Tue, 06 Dec 2005 17:07:25 +0000, JKB wrote:

> Root bohr:[~] > iptables -L -n

Post your iptable rules. It's a lot easier to follow and see what is
wrong if anything.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Le 06-12-2005, à propos de
Re: [iptables] sparc64, NAT and MASQUERADE,
Robert écrivait dans comp.os.linux.networking :
> On Tue, 06 Dec 2005 17:07:25 +0000, JKB wrote:
>
>> Root bohr:[~] > iptables -L -n
>
> Post your iptable rules. It's a lot easier to follow and see what is
> wrong if anything.

Root bohr:[~] > cat /var/lib/iptables/active
# Generated by iptables-save v1.2.7a on Tue Mar 4 10:43:40 2003
*nat
:PREROUTING ACCEPT [5:340]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [334:24336]
[334:24336] -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Tue Mar 4 10:43:40 2003
# Generated by iptables-save v1.2.7a on Tue Mar 4 10:43:40 2003
*filter
:INPUT ACCEPT [3612:629789]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3708:560260]
COMMIT
# Completed on Tue Mar 4 10:43:40 2003
Root bohr:[~] > ifconfig
eth0 Lien encap:Ethernet HWaddr 08:00:20:A1:4B:33
inet adr:10.0.0.1 Bcast:10.255.255.255 Masque:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7471 errors:0 dropped:0 overruns:0 frame:0
TX packets:7706 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:1852008 (1.7 MiB) TX bytes:511958 (499.9 KiB)
Interruption:96 Adresse de base:0x9800

eth1 Lien encap:Ethernet HWaddr 08:00:20:A1:4B:33
inet adr:192.168.0.128 Bcast:192.168.0.255 Masque:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5707 errors:0 dropped:0 overruns:0 frame:0
TX packets:5945 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:836275 (816.6 KiB) TX bytes:2728450 (2.6 MiB)
Interruption:96 Adresse de base:0x9800

lo Lien encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:9235 errors:0 dropped:0 overruns:0 frame:0
TX packets:9235 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:2910838 (2.7 MiB) TX bytes:2910838 (2.7 MiB)

ppp0 Lien encap:Protocole Point-à-Point
inet adr:213.41.140.153 P-t-P:62.4.16.251 Masque:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:2824 errors:0 dropped:0 overruns:0 frame:0
TX packets:3057 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:3
RX bytes:1492107 (1.4 MiB) TX bytes:289438 (282.6 KiB)

Root bohr:[~] > route
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
lo1-lns102-tip- * 255.255.255.255 UH 0 0 0 ppp0
localnet * 255.255.255.0 U 0 0 0 eth1
10.0.0.0 * 255.0.0.0 U 0 0 0 eth0
default lo1-lns102-tip- 0.0.0.0 UG 0 0 0 ppp0
oot bohr:[~] > uname -a
Linux bohr 2.6.14.3 #1 SMP Sun Dec 4 22:16:11 CET 2005 sparc64 GNU/Linux
Root bohr:[~] > iptables -V
iptables v1.3.3
Root bohr:[~] >

This configuration worked fine with a 2.4 kernel. I have switched to
2.6 because I need some new features. I have tried to rebuild iptables
to obtain a 64-bits executables (not a 32-bits). I don't understand,
because on a U1E with kernel 2.6.14.2, I don't have any trouble with
iptables. The main difference between both workstations is the SMP flag
on the U60.

Config :

192.168.0.0/24------192.168.0.128
U60
10.0.0.1 (and ppp0)--------WAN

All paquets are accepted in all iptables chains. I don't
understand...

Regards,

JKB

On Wed, 07 Dec 2005 08:31:19 +0000, JKB wrote:

>> Post your iptable rules. It's a lot easier to follow and see what is
>> wrong if anything.
>
> Root bohr:[~] > cat /var/lib/iptables/active

This is not what I was looking for. Goto /etc/sysconf/. Find tiptables
there and copy the contents and post them.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Le 08-12-2005, à propos de
Re: [iptables] sparc64, NAT and MASQUERADE,
Robert écrivait dans comp.os.linux.networking :
> On Wed, 07 Dec 2005 08:31:19 +0000, JKB wrote:
>
>>> Post your iptable rules. It's a lot easier to follow and see what is
>>> wrong if anything.
>>
>> Root bohr:[~] > cat /var/lib/iptables/active
>
> This is not what I was looking for. Goto /etc/sysconf/. Find tiptables
> there and copy the contents and post them.

I don't have any /etc/sysconf directory, I use a Debian/sparc.

Root bohr:[/etc] > find . -name "*tables"
../default/iptables
../init.d/iptables
../rc2.d/S14iptables
../iproute2/rt_tables

Regards,

JKB

JKB wrote:
> Le 08-12-2005, à propos de
> Re: [iptables] sparc64, NAT and MASQUERADE,
> Robert écrivait dans comp.os.linux.networking :
>
>>On Wed, 07 Dec 2005 08:31:19 +0000, JKB wrote:
>>
>>
>>>>Post your iptable rules. It's a lot easier to follow and see what is
>>>>wrong if anything.
>>>
>>>Root bohr:[~] > cat /var/lib/iptables/active
>>
>>This is not what I was looking for. Goto /etc/sysconf/. Find tiptables
>>there and copy the contents and post them.
>
>
> I don't have any /etc/sysconf directory, I use a Debian/sparc.
>
> Root bohr:[/etc] > find . -name "*tables"
> ./default/iptables
> ./init.d/iptables
> ./rc2.d/S14iptables
> ./iproute2/rt_tables
>
> Regards,
>
> JKB

It's this one:


/etc/init.d/iptables


or a file sourced by it.

--

Tauno Voipio
tauno voipio (at) iki fi

Le 08-12-2005, à propos de
Re: [iptables] sparc64, NAT and MASQUERADE,
Tauno Voipio écrivait dans comp.os.linux.networking :
> JKB wrote:
>> Le 08-12-2005, à propos de
>> Re: [iptables] sparc64, NAT and MASQUERADE,
>> Robert écrivait dans comp.os.linux.networking :
>>
>>>On Wed, 07 Dec 2005 08:31:19 +0000, JKB wrote:
>>>
>>>
>>>>>Post your iptable rules. It's a lot easier to follow and see what is
>>>>>wrong if anything.
>>>>
>>>>Root bohr:[~] > cat /var/lib/iptables/active
>>>
>>>This is not what I was looking for. Goto /etc/sysconf/. Find tiptables
>>>there and copy the contents and post them.
>>
>>
>> I don't have any /etc/sysconf directory, I use a Debian/sparc.
>>
>> Root bohr:[/etc] > find . -name "*tables"
>> ./default/iptables
>> ./init.d/iptables
>> ./rc2.d/S14iptables
>> ./iproute2/rt_tables
>>
>> Regards,
>>
>> JKB
>
> It's this one:
>
>
> /etc/init.d/iptables
>
>
> or a file sourced by it.

I have sent this file...

Root bohr:[/var/lib/iptables] > cat active
# Generated by iptables-save v1.2.7a on Tue Mar 4 10:43:40 2003
*nat
:PREROUTING ACCEPT [5:340]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [334:24336]
[334:24336] -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Tue Mar 4 10:43:40 2003
# Generated by iptables-save v1.2.7a on Tue Mar 4 10:43:40 2003
*filter
:INPUT ACCEPT [3612:629789]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3708:560260]
COMMIT
# Completed on Tue Mar 4 10:43:40 2003
Root bohr:[/var/lib/iptables] > cat /etc/init.d/iptables
#!/bin/sh

set -e

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

default=/etc/default/iptables
if test -f $default; then
. $default
fi

have_a_cow_man () {
for i in $@; do
if ! command -v "$i" >/dev/null 2>&1; then
echo "Aborting iptables initd: no $i executable."
exit 0
fi
done
}

iptables="/sbin/${iptables_command-iptables}"
iptables_save="${iptables}-save"
iptables_restore="${iptables}-restore"

have_a_cow_man "$iptables_save" "$iptables_restore"

libdir=/var/lib/iptables
autosave="${libdir}/autosave"
initd="$0"

initd_clear () {
rm -f "$autosave"
echo -n "Clearing iptables ruleset: default ACCEPT policy"
$iptables_save | sed "/-/d;/^#/d;s/DROP/ACCEPT/" | $iptables_restore
echo "."
}

initd_halt () {
rm -f $autosave
echo -n "Clearing iptables ruleset: default DROP policy"
$iptables_save | sed "/-/d;/^#/d;s/ACCEPT/DROP/" | $iptables_restore
echo "."
}

initd_load () {
ruleset="$libdir/$@"
if ! test -f "$ruleset"; then
echo "Aborting iptables load: unknown ruleset, \"$@\"."
if ! test "${ruleset#${libdir}/}" = active -o inactive; then
usage
fi
exit 0
fi
if test "${ruleset#${libdir}/}" = inactive; then
initd_autosave
fi
rm -f "$autosave"
echo -n "Loading iptables ruleset: load \"$@\""
$iptables_restore < "$ruleset"
echo "."
}

initd_counters () {
if test "${enable_save_counters:-false}" = true; then
echo -n " with counters"
$iptables_save -c > "$ruleset"
else
$iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' \
> "$ruleset"
fi
}

initd_save () {
rm -f $autosave
ruleset="${libdir}/$@"
echo -n "Savinging iptables ruleset: save \"$@\""
initd_counters
echo "."
}

initd_autosave () {
if test -f $autosave -a ${enable_autosave-false} = true; then
ruleset="${libdir}/active"
echo -n "Autosaving iptables ruleset: save \"active\""
initd_counters
echo "."
fi
}

usage () {
current="$(ls -m /var/lib/iptables \
| sed 's/ \{0,1\}autosave,\{0,1\} \{0,1\}//')"
cat << END
$initd options:
start|restart|reload|force-reload
load the "active" ruleset
save <ruleset>
save the current ruleset
load <ruleset>
load a ruleset
stop
load the "inactive" ruleset
clear
remove all rules and user-defined chains, set default policy to ACCEPT
halt
remove all rules and user-defined chains, set default policy to DROP

Saved rulesets:
$current

Please read: $default

END
}

case "$1" in
start|restart|reload|force-reload)
initd_load active
if test ${enable_autosave-false} = true; then
touch $autosave
fi
;;
stop)
initd_load inactive
;;
clear)
initd_clear
;;
halt)
initd_halt
;;
save)
shift
initd_save "$@"
;;
load)
shift
initd_load "$@"
;;
save_active) #legacy option
initd_save active
;;
save_inactive) #legacy option
initd_save inactive
;;
*)
if test "$@"; then
echo "Aborting iptables initd: unknown command(s): \"$@\"."
fi
usage
;;
esac

exit 0

Regards,

JKB

On Thu, 08 Dec 2005 10:21:28 +0000, JKB wrote:

> ./default/iptables

What does this file look like?


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Le 09-12-2005, à propos de
Re: [iptables] sparc64, NAT and MASQUERADE,
Robert écrivait dans comp.os.linux.networking :
> On Thu, 08 Dec 2005 10:21:28 +0000, JKB wrote:
>
>> ./default/iptables
>
> What does this file look like?

bohr:[~] > cat /etc/default/iptables

# enable ipv6 support
enable_ipv6=false

# set enable_autosave to "true" to autosave the active ruleset
# when going from start to stop
enable_autosave=false

# set enable_save_counters to "true" to save table counters with
# rulesets
enable_save_counters=true

bohr:[~] >

Regards,

JKB

On Sat, 10 Dec 2005 08:38:42 +0000, JKB wrote:

>> What does this file look like?
>
> bohr:[~] > cat /etc/default/iptables


What OS are you running? See if you cannot locate where iptables saves
it's config file. that is what I am looking for


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----