NAT & iptables

Hello,

I am really confused with this issue, as I am just about everytime it comes
down to networking. It seems it never ever works the way it should. :-(

So.

I have two "Gentoo comp's", crossovered together. One has ADSL on eth1 and
LAN on eth0, the second gets everything on its eth0 interface. Nothing too
original so far.

Both kernels were compiled with networking support, the one for iptables
also includes all the relaeted support, like Full NAT and everything from
menuconfig.

I can ping one another, but when I do
iptables -A POSTROUTING -t NAT -o eth1 -j MASQUERADE
I get the "Invalid argument".



Two questions:

1. What am I doing wrong here? I don't understand this error. What argument
is it that's wrong?

2. How do you assign an IP that remains the same over reboot? Everytime I
try again I have to ifconfig both comp's...


Thank you very much indeed for any help.



--
Mickybadia [http://mickybadia.free.fr/]

To reply, please remove "SAY_HELLO_TO_" from address.
Veuillez supprimer "SAY_HELLO_TO_" de l'adresse pour me répondre.

Mickybadia <(E-Mail Removed)> wrote:


> I can ping one another, but when I do
> iptables -A POSTROUTING -t NAT -o eth1 -j MASQUERADE
> I get the "Invalid argument".

iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE

--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Nice try, sorry :

# iptables -A POSTROUTING -t NAT -o eth1 -j MASQUERADE
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `NAT': Table does not exist
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

# iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE
iptables: Invalid argument

# iptables -A postrouting -t nat -o eth1 -j MASQUERADE
iptables: No chain/target/match by that name


Thanks for spotting the case error, indeed it does look relevent. But the
potentially right one (second command above) still raises the "Invalid
argument" error... Has anyone a clue what I should do next?


PS
I followed-up by email first, and only realized as it wasn't appearing here.
Sorry Horst Knobloch for emailing you.


--
Mickybadia

http://mickybadia.free.fr/

Hi all!
I had posted an email by mistake, and Horst Knobloch kindly answered:

> # iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE
> iptables: Invalid argument
>
> # iptables -A postrouting -t nat -o eth1 -j MASQUERADE
> iptables: No chain/target/match by that name

Built-in chains like POSTROUTING must be all in upper case
and tables like nat must be in lower case, that's for sure.


> Thanks for spotting the case error, indeed it does look relevent. But
> the potentially right one (second command above) still raises the
> "Invalid argument" error...

For verifying this, I copy & pasted it, and it works on
my box. Do you have automatic kernel module loading running?
If not check whether the ipt_MASQUERADE and iptable_nat
modules are loaded.

# iptables -V ; uname -a
iptables v1.2.8
Linux dwarf 2.4.20-28.9 #1 Thu Dec 18 13:46:42 EST 2003 i686 athlon i386
GNU/Linux

# lsmod | grep ipt
ipt_MASQUERADE 2200 0 (autoclean)
iptable_nat 21464 0 (autoclean) [ipt_MASQUERADE]
ipt_owner 2008 1 (autoclean)
ipt_MARK 1400 5 (autoclean)
ipt_length 984 2 (autoclean)
iptable_mangle 2808 1 (autoclean)
ipt_REJECT 3992 1 (autoclean)
ipt_TCPMSS 3064 1 (autoclean)
ipt_LOG 4216 10 (autoclean)
ipt_limit 1560 10 (autoclean)
ipt_state 1080 6 (autoclean)
ip_conntrack 26824 2 (autoclean) [ipt_MASQUERADE iptable_nat
ipt_state]
ipt_multiport 1208 6 (autoclean)
iptable_filter 2412 1 (autoclean)
ip_tables 14648 15 [ipt_MASQUERADE iptable_nat ipt_owner
ipt_MARK ipt_length iptable_mangle ipt_REJECT ipt_TCPMSS ipt_LOG ipt_limit
ipt_state ipt_multiport iptable_filter]


Ciao, Horst

Hi all!
Horst Knobloch wrote:

>> Thanks for spotting the case error, indeed it does look relevent. But
>> the potentially right one (second command above) still raises the
>> "Invalid argument" error...
>
> Do you have automatic kernel module loading running?

Yes, but I compiled iptables in the kernel, not as modules. Is this bad?

> If not check whether the ipt_MASQUERADE and iptable_nat
> modules are loaded.

On my box, they are not modules, but it IS installed: at boot time, it says
"Cannot start iptables ; setup some rules first." ...or something like
that.

That's what I am trying to do, if only I didn't have this error :-)


--
Mickybadia [http://mickybadia.free.fr/]

To reply, please remove "SAY_HELLO_TO_" from address.
Veuillez supprimer "SAY_HELLO_TO_" de l'adresse pour me répondre.

Mickybadia <(E-Mail Removed)> wrote:

> Hi all!
> Horst Knobloch wrote:
>
>>> Thanks for spotting the case error, indeed it does look relevent. But
>>> the potentially right one (second command above) still raises the
>>> "Invalid argument" error...
>>
>> Do you have automatic kernel module loading running?
>
> Yes, but I compiled iptables in the kernel, not as modules. Is this bad?

Not if you have all the necessary modules compiled in.
Check again your kernel configuration. Do you have
enabled connection tracking, NAT and masquerading in the
kernel configuration?


>> If not check whether the ipt_MASQUERADE and iptable_nat
>> modules are loaded.
>
> On my box, they are not modules, but it IS installed: at boot time, it
> says "Cannot start iptables ; setup some rules first." ...or something
> like that.

I guess this is only a script which is run at boot time
complaining about missing rules. However it does not
mean that all iptables support you need is completely
compiled into the kernel.


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

On Tue, 20 Jan 2004 00:56:15 +0100, Mickybadia wrote:

> Nice try, sorry :
>
> # iptables -A POSTROUTING -t NAT -o eth1 -j MASQUERADE modprobe: Can't
> locate module ip_tables iptables v1.2.8: can't initialize iptables table
> `NAT': Table does not exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
>
> # iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE iptables: Invalid
> argument
>
> # iptables -A postrouting -t nat -o eth1 -j MASQUERADE iptables: No
> chain/target/match by that name
>
>
> Thanks for spotting the case error, indeed it does look relevent. But the
> potentially right one (second command above) still raises the "Invalid
> argument" error... Has anyone a clue what I should do next?

Just a thought - and quite probably wrong. I am unable to elicit the terse
error message "invalid argument" from iptables at all. IME if I get
something wrong it always states exactly what is wrong, as per the
examples above where the table and chain names have been specified
incorrectly. You are only seeing "invalid argument" when you get the
syntax right.

There has also been mention of an iptables script.

Is it possible that you aren't executing the real iptables program but a
script which is a front end to it, which is producing this unhelpful
message? What does "which iptables" say? Mine (Debian Woody) is in /sbin.

Also, what happens if you misspell "MASQUERADE"? I only mention this
because it's the only keyword I havn't seen you try misspelling.

Regards, Ian

Hi all!
Ian Northeast wrote:

> What does "which iptables" say? Mine (Debian Woody) is in /sbin.

# which iptables
/sbin/iptables

> Also, what happens if you misspell "MASQUERADE"? I only mention this
> because it's the only keyword I havn't seen you try misspelling.

# iptables -A POSTROUTING -t nat -o eth1 -j getting_desperate
iptables v1.2.8: Couldn't load target
`getting_desperate':/lib/iptables/libipt_getting_desperate.so: cannot open
shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.


I also checked that libipt_MASQUERADE was at /lib/iptables/.
So what? Could it be the "-o" argument (i.e. "eth1") that's wrong??

Nothing seems to be missing in "make menuconfig", according to several pages
I read. The full NAT and everything...


Phew! Hard work, not going very far... Network administrators must be
spending their time running about trying to guess why "/it/ is not working
again"...


--
Mickybadia [http://mickybadia.free.fr/]

To reply, please remove "SAY_HELLO_TO_" from address.
Veuillez supprimer "SAY_HELLO_TO_" de l'adresse pour me répondre.

In article <400dcd34$0$29062$(E-Mail Removed)>, Mickybadia <(E-Mail Removed)> wrote:
>Hi all!
>Ian Northeast wrote:
>
>> What does "which iptables" say? Mine (Debian Woody) is in /sbin.
>
># which iptables
>/sbin/iptables
>
>> Also, what happens if you misspell "MASQUERADE"? I only mention this
>> because it's the only keyword I havn't seen you try misspelling.
>
># iptables -A POSTROUTING -t nat -o eth1 -j getting_desperate
>iptables v1.2.8: Couldn't load target
>`getting_desperate':/lib/iptables/libipt_getting_desperate.so: cannot open
>shared object file: No such file or directory
>Try `iptables -h' or 'iptables --help' for more information.
>
>
>I also checked that libipt_MASQUERADE was at /lib/iptables/.
>So what? Could it be the "-o" argument (i.e. "eth1") that's wrong??
>
>Nothing seems to be missing in "make menuconfig", according to several pages
>I read. The full NAT and everything...
>
>
>Phew! Hard work, not going very far... Network administrators must be
>spending their time running about trying to guess why "/it/ is not working
>again"...
>
>

Try recompiling iptables after changing kernel.

j131

On Wed, 21 Jan 2004 01:54:08 +0100, Mickybadia wrote:


> Phew! Hard work, not going very far... Network administrators must be
> spending their time running about trying to guess why "/it/ is not working
> again"...

Well, network admins do indeed spend most of their time troubleshooting.
I keep asking "why havn't you allocated those IP addresses I requested
last week?" and get "I'll get on to that as soon as I've fixed these
connection problems". The trouble is that they alway have
connection problems. Networks are fragile by nature. In Nigera for
instance, people keep digging up the cables to sell for scrap copper. It's
not easy to configure the routers to cope with this.

But a basic NAT firewall in Linux isn't normally difficult. There's
something wrong with your system but we havn't worked out what it is yet.
It always works for me. And once it works, if you don't change things (or
dig up the cables) it carries on.

j131 or whatever he/she calls him/herself does make a valid point,
iptables is quite closely related to the kernel. You don't mention
changing kernel (you recompiled I think but that is irrelevant, it
doesn't change the headers). Did you ever change the kernel?

Regards, Ian