| View previous topic :: View next topic |
| Author |
Message |
tassilo80
Guru
Joined: 26 Mar 2003
Posts: 346
Location: Koblenz, Germany
|
 Posted: Tue Aug 26, 2003 2:59 pm Post subject: Routing with Gentoo |
 |
|
Hi.
Here I have my desktop which is connected via DSL to the internet. Connected to the desktop there's my laptop. Now I want to share the internet connection with the laptop.
Ok, I know that I need iptables and masquerading, so I activated the following in my kernel:
| Code: |
Network Packet filtering
Socket filtering
unix domain sockets
TCP/IP networking
-> IP: multicasting
-> IP: advanced router
IP: multicast routing
In "IP netfilter configuration" (all as modules)
Connection tracking
FTP protocol support
IRC protocol support
IP tables support
Packet Filtering
Full NAT
MASQUERADE target support
ROUTE target support
ARP tables support
ARP packet filtering
|
Then I found a short script in the net which should configure iptables exactly the way I want it. It is:
| Code: |
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
|
But when I want to execute the script I get the following error:
| Code: |
[root@mymachine root # bash masquerading
/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: unresolved symbol nf_unregister_hook
/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: unresolved symbol nf_unregister_sockopt
/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: unresolved symbol ip_ct_attach
/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: unresolved symbol nf_register_hook
/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: unresolved symbol nf_register_sockopt
/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: insmod /lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o failed
/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: insmod iptable_nat failed
/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt
/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt
/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
|
What do I have to do? How to get this working. Do I need any more modules or which are useless for my plan?
Much thanks in advance.
Tassilo |
|
| Back to top |
|
 |
Genone
Retired Dev
Joined: 14 Mar 2003
Posts: 9626
Location: beyond the rim
|
| Posted: Tue Aug 26, 2003 4:15 pm Post subject: |
|
|
try to
| Code: | cd /usr/src/linux
make clean
make bzImage modules modules_install |
|
|
| Back to top |
|
|
tassilo80
Guru
Joined: 26 Mar 2003
Posts: 346
Location: Koblenz, Germany
|
| Posted: Tue Aug 26, 2003 5:53 pm Post subject: ahm... |
|
|
When I made the kernel I did
| Code: |
cd /usr/src/linux
make menuconfig
make dep && make clean && make bzImage modules modules_install
|
and then I copied the bzImage to /boot/. So why should I recomile the kernel?
Greets,
Tassilo |
|
| Back to top |
|
|
Genone
Retired Dev
Joined: 14 Mar 2003
Posts: 9626
Location: beyond the rim
|
| Posted: Tue Aug 26, 2003 6:10 pm Post subject: |
|
|
I thought you have just added the NAT options to your config and run a
| Code: | | make modules modules_install |
If you compiled that kernel and modules from scratch there is no need to recompile them of course.
I'm just wondering as normally these unresolved symbol errors are detected at the make modules_install stage. |
|
| Back to top |
|
|
tassilo80
Guru
Joined: 26 Mar 2003
Posts: 346
Location: Koblenz, Germany
|
| Posted: Tue Aug 26, 2003 6:19 pm Post subject: ... |
|
|
| Oh, there's an iptables init script in /etc/init.d/. In /etc/conf.d/iptables I enabled ENABLE_FORWARDING_IPv4="yes". And I added /etc/init.d/iptables to runlevel default, but I get the same error messages when executing my script from above. |
|
| Back to top |
|
|
ph_flippy
n00b
Joined: 09 Jun 2003
Posts: 35
Location: Heidelberg, Germany
|
| Posted: Wed Aug 27, 2003 12:42 am Post subject: |
|
|
I had the same problem and followed the advice in one of the threads in this forum (can't find which one, now  ).
The one thing I did was removing the modules from | Code: | | /lib/modules/KERNEL |
(where KERNEL is the kernel you used. Mine is 2.4.20-gentoo-r6) (or rather moved it, in case something would break).
This didn't help me.
Disabling "Loadable module support" > "Set version information on all module symbols" in the kernel, and then compiling the kernel helped to get rid of the unresolved symbols messages.
HTH! |
|
| Back to top |
|
|
MOS-FET
Apprentice
Joined: 20 May 2003
Posts: 291
Location: Cologne, Germany
|
| Posted: Wed Aug 27, 2003 12:49 am Post subject: |
|
|
| i can really suggest you try firehol (emerge firehol). it's basically a script that creates the firewall rules for you. in firehol.conf you can config _really_ easily what you want (e.g. forwarding, drop all incoming packets, only allow outgoing ftp or whatever) and then do "firehol start" and it starts iptables with your configuration. then do "firehol save" so it would save your config. then do rc-update add iptables default so your firewall will start at boot with the ruls you've config'd with firehol. it's really easy and it worked very well for me! |
|
| Back to top |
|
|
tassilo80
Guru
Joined: 26 Mar 2003
Posts: 346
Location: Koblenz, Germany
|
| Posted: Wed Aug 27, 2003 2:33 pm Post subject: ok |
|
|
Ok,
I'll take "Loadable module support" > "Set version information on all module symbols" out of the kernel ant I'll test firehol. When it fails, I'll be back... 
Thanks,
Tassilo |
|
| Back to top |
|
|
tassilo80
Guru
Joined: 26 Mar 2003
Posts: 346
Location: Koblenz, Germany
|
| Posted: Wed Aug 27, 2003 4:06 pm Post subject: probs with firehol |
|
|
Hi.
Now I tried it with firehol, but it doesn't work. I made a firehol.conf with
firehol helpme > /etc/firehol/firehol.conf
Then I edited the firehol.conf to what I need.
The output of "firehol start" is:
| Code: |
mymachine root # firehol start
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /etc/firehol/firehol.conf: OK
FireHOL: Activating new firewall:iptables: No chain/target/match by that
name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 1.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 50 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_interface1_ICMP_s1 -p icmp -m
state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 2.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 50 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_interface1_ICMP_s1 -p icmp -m
state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
***
and so on...
***
--------------------------------------------------------------------------------
ERROR : # 61.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second
--limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-unknown:
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 62.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A FORWARD -m limit --limit 1/second
--limit-burst 5 -j LOG --log-level warning --log-prefix=PASS-unknown:
OUTPUT :
iptables: No chain/target/match by that name
FAILED
FireHOL: Restoring old firewall: OK
|
What should I do? |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Thu Aug 28, 2003 2:45 am Post subject: |
|
|
I honestly would start all over with the kernel and the original options. I would not get rid of Loadable Module Support...
goto /usr/src/linux... run this:
| Code: |
make mrproper && make menuconfig
make dep && make clean bzImage modules modules_install &&
mount /dev/hda1 /boot &&
mv /boot/bzImage /boot/bzImage-old
cp /usr/src/linux/arch/i386/boot/bzImage /boot/bzImage
lilo
reboot
|
The 'make mrproper' normally cleans up the symbols problem for me.. if it doesn't, re-emerge a kernel and start over with a fresh config. It's alot of work, but it will solve your problem..
_________________
only the paranoid survive |
|
| Back to top |
|
|
tassilo80
Guru
Joined: 26 Mar 2003
Posts: 346
Location: Koblenz, Germany
|
| Posted: Thu Aug 28, 2003 12:40 pm Post subject: |
|
|
Ok, I'll do as you say. If it works I'll tell you and otherwise I'll be back, too.
Thanks,
Tassilo |
|
| Back to top |
|
|
atticus
n00b
Joined: 29 Nov 2002
Posts: 35
Location: Northern Virginia
|
| Posted: Thu Aug 28, 2003 3:40 pm Post subject: Re: Routing with Gentoo |
|
|
| tassilo80 wrote: |
| Code: |
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
If you used this exact rule, I don't think it will work because the rule is for ppp0. ppp0 is for a dialup interface. I think what you want is eth0, since you're running DSL. (Someone correct me if I'm wrong.) So, change the ppp0 in your rule to eth0, to specify your Ethernet interface (your NIC). |
|
| Back to top |
|
|
vidigiani
Tux's lil' helper
Joined: 11 Aug 2003
Posts: 116
Location: Houston, TX
|
| Posted: Thu Aug 28, 2003 5:08 pm Post subject: |
|
|
| DSL uses ppp0 just like dialup. When setting up firewall rules you want to use the ppp0 interface, not the ethX interface. |
|
| Back to top |
|
|
atticus
n00b
Joined: 29 Nov 2002
Posts: 35
Location: Northern Virginia
|
| Posted: Thu Aug 28, 2003 5:34 pm Post subject: |
|
|
| vidigiani wrote: | | DSL uses ppp0 just like dialup. When setting up firewall rules you want to use the ppp0 interface, not the ethX interface. |
This doesn't make sense  |
|
| Back to top |
|
|
deuce
n00b
Joined: 11 Dec 2002
Posts: 56
|
| Posted: Thu Aug 28, 2003 11:34 pm Post subject: |
|
|
| ixion wrote: | I honestly would start all over with the kernel and the original options. I would not get rid of Loadable Module Support...
goto /usr/src/linux... run this:
| Code: |
make mrproper && make menuconfig
make dep && make clean bzImage modules modules_install &&
mount /dev/hda1 /boot &&
mv /boot/bzImage /boot/bzImage-old
cp /usr/src/linux/arch/i386/boot/bzImage /boot/bzImage
lilo
reboot
|
The 'make mrproper' normally cleans up the symbols problem for me.. if it doesn't, re-emerge a kernel and start over with a fresh config. It's alot of work, but it will solve your problem.. |
You should copy /usr/src/linux/.config to another location before running make mrproper, otherwise .config is deleted. After make mrproper finishes, copy .config back and run make oldconfig.
| Code: | cd /usr/src/linux/
cp .config ~/config
make mrproper
cp ~/config .config
make oldconfig
|
|
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Fri Aug 29, 2003 11:43 am Post subject: |
|
|
good point.. I automatically assumed everyone configures their kernel like me: with each new compile I save it out as a config file in the /usr/src/linux.. THIS file does not get overwritten during make mrproper... I think it's a good practice to save all your config's out anyway.. helps tremendously with kernel troubleshooting...
btw, how's it coming, tassilo80? any luck?
_________________
only the paranoid survive |
|
| Back to top |
|
|
vidigiani
Tux's lil' helper
Joined: 11 Aug 2003
Posts: 116
Location: Houston, TX
|
| Posted: Fri Aug 29, 2003 12:24 pm Post subject: |
|
|
| atticus wrote: | | vidigiani wrote: | | DSL uses ppp0 just like dialup. When setting up firewall rules you want to use the ppp0 interface, not the ethX interface. |
This doesn't make sense |
You don't have a direct connection to your DSL ISP like you do with Cable. You typically have to go over PPPoe which is the PPP protocol over ethernet. Such is one of the annoyances of DSL service |
|
| Back to top |
|
|
|
Networking & Security
