[Solved] ipchains & NAT

[caseyse]

I'm moving to newer hardware and a newer kernel, and had been using shorewall (3.4.6) w. out any problems.
I've now been beating my head against the wall for countless hours trying to get NAT working w. out success,
moving from a 2.6.19 kernel to the current 2.6.23 (have also tried 2.6.24). To determine if my shorewall config
was the problem, I tried the guarddog GUI and also received similar errors. I believe I have enabled all the
correct netfilter settings, so I'm not sure where I should look next. Any tips would be greatly appreciated.

Using my former working shorewall configuration, I get the following error:
WARNING: NAT disabled; masq rule ignored
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: No chain/target/match by that name

# iptables -t nat -F
iptables v1.3.8: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

.config
407 # Networking
408 #
409 CONFIG_NET=y
410
411 #
412 # Networking options
413 #
414 CONFIG_PACKET=y
415 # CONFIG_PACKET_MMAP is not set
416 CONFIG_UNIX=y
417 CONFIG_XFRM=y
418 CONFIG_XFRM_USER=m
419 # CONFIG_XFRM_SUB_POLICY is not set
420 # CONFIG_XFRM_MIGRATE is not set
421 CONFIG_NET_KEY=m
422 # CONFIG_NET_KEY_MIGRATE is not set
423 CONFIG_INET=y
424 CONFIG_IP_MULTICAST=y
425 CONFIG_IP_ADVANCED_ROUTER=y
426 CONFIG_ASK_IP_FIB_HASH=y
427 # CONFIG_IP_FIB_TRIE is not set
428 CONFIG_IP_FIB_HASH=y
429 CONFIG_IP_MULTIPLE_TABLES=y
430 CONFIG_IP_ROUTE_MULTIPATH=y
431 # CONFIG_IP_ROUTE_VERBOSE is not set
432 CONFIG_IP_PNP=y
433 CONFIG_IP_PNP_DHCP=y
434 # CONFIG_IP_PNP_BOOTP is not set
435 # CONFIG_IP_PNP_RARP is not set
436 CONFIG_NET_IPIP=m
437 CONFIG_NET_IPGRE=m
438 CONFIG_NET_IPGRE_BROADCAST=y
439 CONFIG_IP_MROUTE=y
440 CONFIG_IP_PIMSM_V1=y
441 CONFIG_IP_PIMSM_V2=y
442 # CONFIG_ARPD is not set
443 CONFIG_SYN_COOKIES=y
444 CONFIG_INET_AH=m
445 CONFIG_INET_ESP=m
446 CONFIG_INET_IPCOMP=m
447 CONFIG_INET_XFRM_TUNNEL=m
448 CONFIG_INET_TUNNEL=m
449 CONFIG_INET_XFRM_MODE_TRANSPORT=m
450 CONFIG_INET_XFRM_MODE_TUNNEL=m
451 CONFIG_INET_XFRM_MODE_BEET=m
452 CONFIG_INET_LRO=m
453 CONFIG_INET_DIAG=y
454 CONFIG_INET_TCP_DIAG=y
455 # CONFIG_TCP_CONG_ADVANCED is not set
456 CONFIG_TCP_CONG_CUBIC=y
457 CONFIG_DEFAULT_TCP_CONG="cubic"
458 # CONFIG_TCP_MD5SIG is not set
459 # CONFIG_IP_VS is not set
460 # CONFIG_IPV6 is not set
461 # CONFIG_INET6_XFRM_TUNNEL is not set
462 # CONFIG_INET6_TUNNEL is not set
463 CONFIG_NETWORK_SECMARK=y
464 CONFIG_NETFILTER=y
465 # CONFIG_NETFILTER_DEBUG is not set
466
467 #
468 # Core Netfilter Configuration
469 #
470 CONFIG_NETFILTER_NETLINK=m
471 CONFIG_NETFILTER_NETLINK_QUEUE=m
472 CONFIG_NETFILTER_NETLINK_LOG=m
473 CONFIG_NF_CONNTRACK_ENABLED=y
474 CONFIG_NF_CONNTRACK=y
475 CONFIG_NF_CT_ACCT=y
476 CONFIG_NF_CONNTRACK_MARK=y
477 CONFIG_NF_CONNTRACK_SECMARK=y
478 CONFIG_NF_CONNTRACK_EVENTS=y
479 CONFIG_NF_CT_PROTO_GRE=m
480 CONFIG_NF_CT_PROTO_SCTP=m
481 CONFIG_NF_CT_PROTO_UDPLITE=m
482 CONFIG_NF_CONNTRACK_AMANDA=m
483 CONFIG_NF_CONNTRACK_FTP=m
484 CONFIG_NF_CONNTRACK_H323=m
485 CONFIG_NF_CONNTRACK_IRC=m
486 CONFIG_NF_CONNTRACK_NETBIOS_NS=m
487 CONFIG_NF_CONNTRACK_PPTP=m
488 CONFIG_NF_CONNTRACK_SANE=m
489 CONFIG_NF_CONNTRACK_SIP=m
490 CONFIG_NF_CONNTRACK_TFTP=m
491 CONFIG_NETFILTER_XTABLES=y
492 CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
493 CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
494 CONFIG_NETFILTER_XT_TARGET_DSCP=m
495 CONFIG_NETFILTER_XT_TARGET_MARK=m
496 CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
497 CONFIG_NETFILTER_XT_TARGET_NFLOG=m
498 # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
499 CONFIG_NETFILTER_XT_TARGET_TRACE=m
500 CONFIG_NETFILTER_XT_TARGET_SECMARK=m
501 CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
502 CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
503 CONFIG_NETFILTER_XT_MATCH_COMMENT=m
504 CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
505 CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
506 CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
507 CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
508 CONFIG_NETFILTER_XT_MATCH_DCCP=m
509 CONFIG_NETFILTER_XT_MATCH_DSCP=m
510 CONFIG_NETFILTER_XT_MATCH_ESP=m
511 CONFIG_NETFILTER_XT_MATCH_HELPER=m
512 CONFIG_NETFILTER_XT_MATCH_LENGTH=m
513 CONFIG_NETFILTER_XT_MATCH_LIMIT=m
514 CONFIG_NETFILTER_XT_MATCH_MAC=m
515 CONFIG_NETFILTER_XT_MATCH_MARK=m
516 CONFIG_NETFILTER_XT_MATCH_POLICY=m
517 CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
518 CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
519 CONFIG_NETFILTER_XT_MATCH_QUOTA=m
520 CONFIG_NETFILTER_XT_MATCH_REALM=m
521 CONFIG_NETFILTER_XT_MATCH_SCTP=m
522 CONFIG_NETFILTER_XT_MATCH_STATE=m
523 CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
524 CONFIG_NETFILTER_XT_MATCH_STRING=m
525 CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
526 CONFIG_NETFILTER_XT_MATCH_TIME=m
527 CONFIG_NETFILTER_XT_MATCH_U32=m
528 CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
529
530 #
531 # IP: Netfilter Configuration
532 #
533 CONFIG_NF_CONNTRACK_IPV4=m
534 CONFIG_NF_CONNTRACK_PROC_COMPAT=y
535 CONFIG_IP_NF_QUEUE=m
536 CONFIG_IP_NF_IPTABLES=m
537 CONFIG_IP_NF_MATCH_IPRANGE=m
538 CONFIG_IP_NF_MATCH_TOS=m
539 CONFIG_IP_NF_MATCH_RECENT=m
540 CONFIG_IP_NF_MATCH_ECN=m
541 CONFIG_IP_NF_MATCH_AH=m
542 CONFIG_IP_NF_MATCH_TTL=m
543 CONFIG_IP_NF_MATCH_OWNER=m
544 CONFIG_IP_NF_MATCH_ADDRTYPE=m
545 CONFIG_IP_NF_FILTER=m
546 CONFIG_IP_NF_TARGET_REJECT=m
547 CONFIG_IP_NF_TARGET_LOG=m
548 CONFIG_IP_NF_TARGET_ULOG=m
549 CONFIG_NF_NAT=m
550 CONFIG_NF_NAT_NEEDED=y
551 CONFIG_IP_NF_TARGET_MASQUERADE=m
552 CONFIG_IP_NF_TARGET_REDIRECT=m
553 CONFIG_IP_NF_TARGET_NETMAP=m
554 CONFIG_IP_NF_TARGET_SAME=m
555 CONFIG_NF_NAT_SNMP_BASIC=m
556 CONFIG_NF_NAT_PROTO_GRE=m
557 CONFIG_NF_NAT_FTP=m
558 CONFIG_NF_NAT_IRC=m
559 CONFIG_NF_NAT_TFTP=m
560 CONFIG_NF_NAT_AMANDA=m
561 CONFIG_NF_NAT_PPTP=m
562 CONFIG_NF_NAT_H323=m
563 CONFIG_NF_NAT_SIP=m
564 CONFIG_IP_NF_MANGLE=m
565 CONFIG_IP_NF_TARGET_TOS=m
566 CONFIG_IP_NF_TARGET_ECN=m
567 CONFIG_IP_NF_TARGET_TTL=m
568 CONFIG_IP_NF_TARGET_CLUSTERIP=m
569 CONFIG_IP_NF_RAW=m
570 CONFIG_IP_NF_ARPTABLES=m
571 CONFIG_IP_NF_ARPFILTER=m
572 CONFIG_IP_NF_ARP_MANGLE=m
573 # CONFIG_IP_DCCP is not set
574 CONFIG_IP_SCTP=m
575 # CONFIG_SCTP_DBG_MSG is not set
576 # CONFIG_SCTP_DBG_OBJCNT is not set
577 # CONFIG_SCTP_HMAC_NONE is not set
578 # CONFIG_SCTP_HMAC_SHA1 is not set
579 CONFIG_SCTP_HMAC_MD5=y
580 # CONFIG_TIPC is not set
581 # CONFIG_ATM is not set
582 # CONFIG_BRIDGE is not set
583 # CONFIG_VLAN_8021Q is not set
584 # CONFIG_DECNET is not set
585 # CONFIG_LLC2 is not set
586 # CONFIG_IPX is not set
587 # CONFIG_ATALK is not set
588 # CONFIG_X25 is not set
589 # CONFIG_LAPB is not set
590 # CONFIG_ECONET is not set
591 # CONFIG_WAN_ROUTER is not set
592 # CONFIG_NET_SCHED is not set
593 CONFIG_NET_CLS_ROUTE=y

# lsmod
Module Size Used by
iptable_raw 5376 0
xt_comment 4992 0
xt_policy 6656 0
xt_multiport 6016 0
ipt_ULOG 9476 0
ipt_TTL 5376 0
ipt_ttl 5120 0
ipt_TOS 5376 0
ipt_tos 4864 0
ipt_REJECT 6912 0
ipt_recent 9240 0
ipt_owner 5120 0
ipt_LOG 8832 0
ipt_iprange 4992 0
ipt_ECN 5888 0
ipt_ecn 5376 0
ipt_ah 5120 0
ipt_addrtype 4992 0
xt_tcpmss 5376 0
xt_pkttype 4992 0
xt_NFQUEUE 5120 0
xt_MARK 5248 0
xt_mark 4992 0
xt_mac 5120 0
xt_limit 5632 0
xt_length 5120 0
xt_dccp 6276 0
xt_CLASSIFY 4992 0
xt_tcpudp 6144 0
iptable_mangle 5632 0
nfnetlink 6424 0
nfsd 75432 13
exportfs 7168 1 nfsd
ipv6 193124 12
iptable_filter 5632 0
ip_tables 13508 3 iptable_raw,iptable_mangle,iptable_filter
x_tables 11396 29 xt_comment,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_REJECT,ipt_recent,ipt_owner,ipt_LOG,
ipt_iprange,ipt_ECN,ipt_ecn,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_NFQUEUE,xt_MARK,xt_mark,xt_mac,xt_limit,
xt_length,xt_dccp,xt_CLASSIFY,xt_tcpudp,ip_tables

[Lids]

As stated by the output of iptables you're missing the nat module, though it's build in the kernel.
To correct this for the current session run:

[Dagger]

i cant see

[caseyse]

Lids and Dagger, thank you very much for your help. modprobe can't find an iptable_nat module - I've tried building it as a module and into the kernel. Unfortunately, the only iptable_nat I have on my system belongs to my 2.6.19 kernel.

[Lids]

Hi.
Right, it looks like iptable_nat have been removed from 2.6.23.. The replacement looks like to be nf_nat. If you don't have it, you should considere recompiling/reinstalling your modules, since it is set in the .config..
If it helps i have found a similare thread:
https://forums.gentoo.org/viewtopic-t-608096-highlight-iptable.html
_________________
GFX enhanced terminal: http://bterm.org * Real firewall: http://nufw.org * Useful things: http://piggledy.org

[Dagger]

[caseyse]

Thank you both very much for taking the time to post your recommendations, and for pointing me in the right direction. At your recommendations, it wasn't until I manually compiled my kernel and modules did I see a time skew problem that I wasn't seeing using genkernel. When I fixed this, my nat modules were correctly compiled and installed. This was a strange problem that I've never experienced before, as all of my other modules weren't impacted, just the nat modules. Those frequent changes to netfilter settings and this time skew issue really had me feeling beaten. After countless hours compiling and downing Bushmills, I can finally complete my server upgrade and again join the living. Have a wonderful holiday!