NAT & iptables

Discussion in 'Home Networking' started by Mickybadia, Jan 13, 2004.

  1. Mickybadia

    Mickybadia Guest

    Hello all,

    I have 2 Linux comp's, ans I'd like to share my DSL connection. I want to
    use iptables and NAT.

    # uname -r

    So, iptables should be supported. When I boot, I get "Not starting iptables,
    set some rules first", or sth like that.

    Trouble is: I always hated network modules at Uni, so I don't really enjoy
    spending hours exploring everywhere and browsing through acronyms. But as
    far as I understood, I must do, at one point, the following:
    iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE
    where eth1 is the interface to the internet.

    I get "iptables: invalid argument" each time.

    Same if I replace eth1 with ppp0, even if I don't even know whether it was a
    good thing to do.

    The following is also a bit confusing:
    # lsmod
    /* Nothing related to iptables */

    # modprobe ip_tables
    modprobe: Can't locate module ip_tables

    Yet iptables IS supported by the kernel (I've compiled it myself for that
    purpose), and it would also run (according to boot messages), if only it
    had some rules.

    # iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Any idea what I should do now? I am getting a bit desperate. :-|
    Mickybadia, Jan 13, 2004
    1. Advertisements

  2. Looks OK
    Which suggests that NAT support isn't included in the kernel.
    Not if the interface is eth1:)
    All iptables functions will work "out of the box" with most default
    kernels. There is rarely any need to compile one just for this. But I
    don't know about the Gentoo one specifically.

    Did you compile it as a module or inline? If the latter then there won't
    be a module and it isn't needed. If the former, did you "make modules" and
    "make modules_install"?

    Did you also enable:

    Connection tracking (CONFIG_IP_NF_CONNTRACK)

    You need both of them for the nat table to exist.

    You'll also probably want to enable:

    Connection state match support (CONFIG_IP_NF_MATCH_STATE)
    Packet filtering (CONFIG_IP_NF_FILTER)

    and possibly other iptables options. If you compile these as modules, then
    the relevant modules are normally autoloaded, you don't need to do it

    Unless you have a separate firewall, you will want some firewalling rules
    too. Here's a basic NAT firewall which allows everything out from itself
    and its clients, NATs all its clients and allows nothing in from the

    EXTIF=<your Internet interface>
    INTIF=<your LAN interface>
    # Set default policies and flush chains
    iptables -P INPUT DROP
    iptables -F INPUT
    iptables -P OUTPUT ACCEPT
    iptables -F OUTPUT
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -t nat -F
    # Allow local traffic (!)
    iptables -A INPUT -i lo -j ACCEPT
    # Allow LAN traffic
    iptables -A INPUT -i $INTIF -j ACCEPT
    # Allow responses from Internet
    iptables -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -j LOG
    # NAT for clients
    # Allow all LAN -> Internet, but only Internet -> LAN if state is matched
    iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j
    iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
    iptables -A FORWARD -j LOG
    # Enable NAT
    iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

    I don't know what sort of input the Gentoo iptables initialisation script
    is looking for I'm afraid, I use Debian. The above script can be run on
    its own. It's my initialisation script with a few bits which are specific
    to my setup removed.

    You will find

    Regards, Ian
    Ian Northeast, Jan 14, 2004
    1. Advertisements

  3. Mickybadia

    Mickybadia Guest

    Well the eth1 interface is not a physical one, it's a USB modem, then
    connected to the Internet. 'Ifconfig' gives me lo, eth0 (connected to the
    second computer), eth1, and a ppp0, also. I thought eth1 was probably the
    one to use, but again, I can well be wrong here...
    Problem is: Gentoo has usually no default kernel :) It is often manually
    installed, thus compiled. Gentoo's spirit for ya: just what you need,
    optimized your own way...

    Oops; that's true. Indeed they are inline, I had forgotton they weren't
    modules this time. I usually do modules. But anyway, I did include all the
    connection tracking business, and the Full NAT.

    Does invalid argument only apply to the -t option? Could it be another
    option? It seems that NAT *is* installed. How would I check on that just to
    be sure, my last kernel config says it should all be in there.

    That was all compiled in too...

    I am not planning on using a firewall, as only Linux will be used on the
    other comp, and I'll just tell my parents using it that I won't trust the
    bloody Windows I do NOT trust and that they will be kept away from using
    for any internet connection. :)

    Thanks for your time, I really would like to get this going, but it is not
    as simple as I thought.
    Mickybadia, Jan 14, 2004
  4. I can't help any more I'm afraid. I don't have a copy of Gentoo to hand.
    Usually this is simple. Every time I have set one up it has been.

    I doubt you'll get much more on this group. I suggest you try a post to
    comp.os.linux.networking. There will be lots of people there who have done
    NAT firewalls on Gentoo.

    Regards, Ian
    Ian Northeast, Jan 16, 2004
  5. Mickybadia

    Mickybadia Guest

    Cheers mate. I'll do that.
    If people are interested, I guess they can go on and read there too. Thanks
    Mickybadia, Jan 17, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.