Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

New kernel, iptables script is broken
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Houdini
Apprentice
Apprentice


Joined: 14 Jun 2002
Posts: 224
Location: New Mexico Tech, Socorro, NM
PostPosted: Tue Jun 17, 2003 2:26 pm    Post subject: New kernel, iptables script is broken Reply with quote
So, I'll start this by saying I'm probably overlooking something obvious.

Also, this is fairly iptables-specific, so you may want to click "back" now if you're not familiar with it.

Having that said...

This is the firewall script I use on a server I admin. It's doing SNAT for an internal network... yeah. It's simple enough that it should be easy to follow. The machine is running gentoo-sources-2.4.20-r5

Iptables script:
Code:
    echo "0" > /proc/sys/net/ipv4/conf/all/forwarding
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" >/proc/sys/net/ipv4/tcp_syncookies
    /sbin/iptables -F
    /sbin/iptables -F -t nat
    /sbin/iptables -Z
    #
    #   rules for NATting packets
    #
    /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j SNAT --to-source 128.165.237.145
    /sbin/iptables -A FORWARD -m state --state NEW -i eth1 -s 10.0.0.0/24 -j ACCEPT
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -P FORWARD DROP
    #
    #   generic firewall-y stuff
    #
    /sbin/iptables -A INPUT -m state --state NEW -p tcp --destination-port 22 -i eth0 -j ACCEPT
    /sbin/iptables -A INPUT -m state --state NEW -p tcp --destination-port 80 -i eth0 -j ACCEPT
    /sbin/iptables -A INPUT -m state --state NEW -i eth0 -j DROP
    /sbin/iptables -A INPUT -m state --state INVALID -i eth0 -j LOG
    /sbin/iptables -A INPUT -m state --state INVALID -i eth0 -j DROP
    #
    #   paranoid logging
    #
    /sbin/iptables -A FORWARD -j LOG
    /sbin/iptables -I INPUT 1 -m unclean -j LOG


And, the relevant part of my kernel config (you'll see why):
Code:
CONFIG_NETFILTER=y
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_MPORT=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNLIMIT=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_UNCLEAN=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_TARGET_LOG=y


Now, that works great. I'm trying to go to vanilla-sources-2.4.21, and it's all shot. One line in the iptables script fails like this:
Code:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j SNAT --to-source 128.165.237.145
iptables: invalid argument

(that's from memory, I'll post an addon if that's wrong)

My new kernel is configured like this:
Code:
CONFIG_NETFILTER=y
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_UNCLEAN=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_LOG=y


If anything, there's more stuff on in the new kernel setup.

Anyone have any ideas? This was also a problem with vanilla-sources-2.4.20.
_________________
^]:wq
Back to top
View user's profile Send private message
Zu`
l33t
l33t


Joined: 26 May 2002
Posts: 716
Location: BE
PostPosted: Tue Jun 17, 2003 3:04 pm    Post subject: Reply with quote
IIRC the installation of iptables uses kernel-header specific code ( header files within /usr/src/linux/ so make sure this symlink points to the correct version in /usr/src )
So, basicly when you start using a different kernel version, you'll have to reinstall the iptables package.

Solution: re-emerge iptables
Code:

emerge iptables

_________________
No growth without resistance.
No action without reaction.
No desire without restraint.
Back to top
View user's profile Send private message
Houdini
Apprentice
Apprentice


Joined: 14 Jun 2002
Posts: 224
Location: New Mexico Tech, Socorro, NM
PostPosted: Tue Jun 17, 2003 3:09 pm    Post subject: Reply with quote
Woot, that worked. Thanks.
Back to top
View user's profile Send private message
thegazer
Tux's lil' helper
Tux's lil' helper


Joined: 15 Jun 2002
Posts: 76
Location: Melbourne
PostPosted: Thu Jun 26, 2003 12:51 am    Post subject: Reply with quote
I have 2 kernel currently, 2.4.20 gentoo source and 2.5.72 mm-source,
re-emrging iptables does works for me, but I don't want to re-install iptables everytime I switch from kernel to kernel...
is there any workaround for this?

thanks
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy