<litinoveweedle@quick.cz>
2004-Jan-21 01:07 UTC
FW: DNAT and masq problem with kernel 2.4.23
Hi, after kernel upgrade to 2.4.23 my existing configuration of shorewal 1.4.8 will not start / it fail on DNAT and/or masq with message: "iptables: Invalid argument" / I founded some similar problems description - see links bellow, but there is no solution how to get work shorewall with DNAT and masq with 2.4.23 kernel. http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0268.html http://lists.netfilter.org/pipermail/netfilter/2003-September/046962.html Here is tail from debug message. How I can force to shorewall use POSTROUTING chain for masq and DNAT instead of user defined chains? # tail /tmp/trace + eval exists_nat_net_dnat=Yes + exists_nat_net_dnat=Yes + run_iptables2 -t nat -A net_dnat -p tcp -d 212.24.147.254 --dport http -j DNAT --to-destination 192.168.140.2 + [ x-t nat -A net_dnat -p tcp -d 212.24.147.254 --dport http -j DNAT --to-desti nation 192.168.140.2 = x-t nat -A net_dnat -p tcp -d 212.24.147.254 --dport http -j DNAT --to-destination 192.168.140.2 ] + run_iptables -t nat -A net_dnat -p tcp -d 212.24.147.254 --dport http -j DNAT --to-destination 192.168.140.2 + iptables -t nat -A net_dnat -p tcp -d 212.24.147.254 --dport http -j DNAT --to -destination 192.168.140.2 iptables: Invalid argument + [ -z ] + stop_firewall + set +x Thank you very much for help Regards Dominik Strnad Senior Management Engineer Core Computer spol. s r.o. Olbrachtova 4, 140 00, Praha 4 tel.: +420 255 770 111 fax.: +420 255 770 120 gsm: +420 724 036 612 email: dstrnad@core.cz url: www.core.cz --- Odchozí zpráva neobsahuje viry. Zkontrolováno antivirovým systémem AVG (http://www.grisoft.cz). Verze: 6.0.564 / Virová báze: 356 - datum vydání: 19.1.2004
On Wed, 21 Jan 2004 litinoveweedle@quick.cz wrote:> Hi, > after kernel upgrade to 2.4.23 my existing configuration of shorewal 1.4.8 > will not start / it fail on DNAT and/or masq with message: "iptables: > Invalid argument" / > > I founded some similar problems description - see links bellow, but there is > no solution how to get work shorewall with DNAT and masq with 2.4.23 kernel. > > http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0268.html > > http://lists.netfilter.org/pipermail/netfilter/2003-September/046962.html > > Here is tail from debug message. How I can force to shorewall use > POSTROUTING chain for masq and DNAT instead of user defined chains? >You can''t -- I''m afraid that you are going to have to fix you underlying problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 20 Jan 2004, Tom Eastep wrote:> On Wed, 21 Jan 2004 litinoveweedle@quick.cz wrote: > > > Hi, > > after kernel upgrade to 2.4.23 my existing configuration of shorewal 1.4.8 > > will not start / it fail on DNAT and/or masq with message: "iptables: > > Invalid argument" / > > > > I founded some similar problems description - see links bellow, but there is > > no solution how to get work shorewall with DNAT and masq with 2.4.23 kernel. > > > > http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0268.html > > > > http://lists.netfilter.org/pipermail/netfilter/2003-September/046962.html > > > > Here is tail from debug message. How I can force to shorewall use > > POSTROUTING chain for masq and DNAT instead of user defined chains? > > > > You can''t -- I''m afraid that you are going to have to fix you underlying > problem. >Which is probably caused by your iptables utility being built with kernel headers that are different from the ones used to compile your 2.4.23 kernel. Try this: shorewall clear iptables -t nat -A PREROUTING -p tcp --dport 80 -d 1.2.3.4 -j DNAT --to-destination 4.5.6.7 Did that work? If so, is your PATH set the same as it is in shorewall.conf? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 21 Jan 2004 litinoveweedle@quick.cz wrote:> I founded some similar problems description - see links bellow, but there is > no solution how to get work shorewall with DNAT and masq with 2.4.23 kernel. > > http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0268.html > > http://lists.netfilter.org/pipermail/netfilter/2003-September/046962.html >This second thread''s references to user-defined chains turned out to be pure FUD -- the problem was as I suggested to you in the earlier post; iptables<->kernel incompatibility. I was involved in that thread... BTW -- from *my* firewall: Linux gateway.shorewall.net 2.4.23-1-386 #1 Sun Nov 30 16:49:14 EST 2003 i686 GNU/Linux I also have run a stock 2.4.23 kernel compiled from kernel.org sources which ran fine (Note: there apparently *is* a problem with masquerading in 2.4.23). Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net