NAT & iptables

Discussion in 'Home Networking' started by Mickybadia, Jan 13, 2004.

  1. Mickybadia

    Mickybadia Guest

    Hello all,

    I have 2 Linux comp's, ans I'd like to share my DSL connection. I want to
    use iptables and NAT.

    # uname -r
    2.4.22-gentoo-r2

    So, iptables should be supported. When I boot, I get "Not starting iptables,
    set some rules first", or sth like that.

    Trouble is: I always hated network modules at Uni, so I don't really enjoy
    spending hours exploring everywhere and browsing through acronyms. But as
    far as I understood, I must do, at one point, the following:
    iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE
    where eth1 is the interface to the internet.

    I get "iptables: invalid argument" each time.

    Same if I replace eth1 with ppp0, even if I don't even know whether it was a
    good thing to do.

    The following is also a bit confusing:
    # lsmod
    /* Nothing related to iptables */

    # modprobe ip_tables
    modprobe: Can't locate module ip_tables

    Yet iptables IS supported by the kernel (I've compiled it myself for that
    purpose), and it would also run (according to boot messages), if only it
    had some rules.

    # iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination



    Any idea what I should do now? I am getting a bit desperate. :-|
     
    Mickybadia, Jan 13, 2004
    #1
    1. Advertisements

  2. Looks OK
    Which suggests that NAT support isn't included in the kernel.
    Not if the interface is eth1:)
    All iptables functions will work "out of the box" with most default
    kernels. There is rarely any need to compile one just for this. But I
    don't know about the Gentoo one specifically.

    Did you compile it as a module or inline? If the latter then there won't
    be a module and it isn't needed. If the former, did you "make modules" and
    "make modules_install"?

    Did you also enable:

    Connection tracking (CONFIG_IP_NF_CONNTRACK)
    Full NAT (CONFIG_IP_NF_NAT)

    You need both of them for the nat table to exist.

    You'll also probably want to enable:

    Connection state match support (CONFIG_IP_NF_MATCH_STATE)
    Packet filtering (CONFIG_IP_NF_FILTER)

    and possibly other iptables options. If you compile these as modules, then
    the relevant modules are normally autoloaded, you don't need to do it
    explicitly.


    Unless you have a separate firewall, you will want some firewalling rules
    too. Here's a basic NAT firewall which allows everything out from itself
    and its clients, NATs all its clients and allows nothing in from the
    Internet:

    EXTIF=<your Internet interface>
    INTIF=<your LAN interface>
    #
    # Set default policies and flush chains
    #
    iptables -P INPUT DROP
    iptables -F INPUT
    iptables -P OUTPUT ACCEPT
    iptables -F OUTPUT
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -t nat -F
    #
    # Allow local traffic (!)
    #
    iptables -A INPUT -i lo -j ACCEPT
    #
    # Allow LAN traffic
    #
    iptables -A INPUT -i $INTIF -j ACCEPT
    #
    # Allow responses from Internet
    #
    iptables -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    #
    iptables -A INPUT -j LOG
    #
    # NAT for clients
    #
    # Allow all LAN -> Internet, but only Internet -> LAN if state is matched
    #
    iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j
    ACCEPT
    iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
    iptables -A FORWARD -j LOG
    #
    # Enable NAT
    #
    iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE


    I don't know what sort of input the Gentoo iptables initialisation script
    is looking for I'm afraid, I use Debian. The above script can be run on
    its own. It's my initialisation script with a few bits which are specific
    to my setup removed.

    You will find http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html
    useful.

    Regards, Ian
     
    Ian Northeast, Jan 14, 2004
    #2
    1. Advertisements

  3. Mickybadia

    Mickybadia Guest

    Well the eth1 interface is not a physical one, it's a USB modem, then
    connected to the Internet. 'Ifconfig' gives me lo, eth0 (connected to the
    second computer), eth1, and a ppp0, also. I thought eth1 was probably the
    one to use, but again, I can well be wrong here...
    Problem is: Gentoo has usually no default kernel :) It is often manually
    installed, thus compiled. Gentoo's spirit for ya: just what you need,
    optimized your own way...

    Oops; that's true. Indeed they are inline, I had forgotton they weren't
    modules this time. I usually do modules. But anyway, I did include all the
    connection tracking business, and the Full NAT.

    Does invalid argument only apply to the -t option? Could it be another
    option? It seems that NAT *is* installed. How would I check on that just to
    be sure, my last kernel config says it should all be in there.

    That was all compiled in too...

    I am not planning on using a firewall, as only Linux will be used on the
    other comp, and I'll just tell my parents using it that I won't trust the
    bloody Windows I do NOT trust and that they will be kept away from using
    for any internet connection. :)


    Thanks for your time, I really would like to get this going, but it is not
    as simple as I thought.
     
    Mickybadia, Jan 14, 2004
    #3
  4. I can't help any more I'm afraid. I don't have a copy of Gentoo to hand.
    Usually this is simple. Every time I have set one up it has been.

    I doubt you'll get much more on this group. I suggest you try a post to
    comp.os.linux.networking. There will be lots of people there who have done
    NAT firewalls on Gentoo.

    Regards, Ian
     
    Ian Northeast, Jan 16, 2004
    #4
  5. Mickybadia

    Mickybadia Guest

    Cheers mate. I'll do that.
    If people are interested, I guess they can go on and read there too. Thanks
    anyway.
     
    Mickybadia, Jan 17, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.