Hi! I''m trying to get shorewall to work with kernel 2.6.11, but to no avail :( There seems to be some problem with nat, whereupon iptables cannot set it up. Kernel compiled on base of mandrake kernel-source, patched with ipp2p and the ipsec patches from Tom''s contrib. Here''s the error: /sbin/iptables -t nat -A eth2_masq -s 192.168.0.0/23 -d 0.0.0.0/0 -j MASQUERADE iptables: Invalid argument error_message ''ERROR: Command "/sbin/iptables -t'' nat -A eth2_masq -s 192.168.0.0/23 -d 0.0.0.0/0 -j ''MASQUERADE" Failed'' Attached are: output of "shorewall debug restart"; shorewall configuration; config used for kernel compilation Same shorewall configuration works perfectly under kernel-2.6.8. Any help would be greatly appreciated. Thank you, Mario Pizzolanti
Mario R. Pizzolanti wrote:> Hi! > I''m trying to get shorewall to work with kernel 2.6.11, but to no avail :( > There seems to be some problem with nat, whereupon iptables cannot set > it up. Kernel compiled on base of mandrake kernel-source, patched with > ipp2p and the ipsec patches from Tom''s contrib. > > Here''s the error: > /sbin/iptables -t nat -A eth2_masq -s 192.168.0.0/23 -d 0.0.0.0/0 -j > MASQUERADE > iptables: Invalid argument > error_message ''ERROR: Command "/sbin/iptables -t'' nat -A eth2_masq -s > 192.168.0.0/23 -d 0.0.0.0/0 -j ''MASQUERADE" Failed'' >This error is ALWAYS caused by an incompatibility between iptables and the kernel. Your iptables MUST be compiled against a kernel source tree that it Netfilter-compatible with the kernel that you are running. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Mario R. Pizzolanti wrote: > >>Hi! >>I''m trying to get shorewall to work with kernel 2.6.11, but to no avail :( >>There seems to be some problem with nat, whereupon iptables cannot set >>it up. Kernel compiled on base of mandrake kernel-source, patched with >>ipp2p and the ipsec patches from Tom''s contrib. >> >>Here''s the error: >>/sbin/iptables -t nat -A eth2_masq -s 192.168.0.0/23 -d 0.0.0.0/0 -j >>MASQUERADE >>iptables: Invalid argument >> error_message ''ERROR: Command "/sbin/iptables -t'' nat -A eth2_masq -s >>192.168.0.0/23 -d 0.0.0.0/0 -j ''MASQUERADE" Failed'' >> > > > This error is ALWAYS caused by an incompatibility between iptables and > the kernel. Your iptables MUST be compiled against a kernel source tree > that it Netfilter-compatible with the kernel that you are running.Hi Tom, Thanks for your speedy reply. I thought as much myself... Funny thing is I DID compile iptables-1.3.1 against the same kernel source tree from which I compiled the kernel... No compilation errors. I guess I''ll try compiling iptables again. Thanks again, Mario
Mario R. Pizzolanti wrote:> Thanks for your speedy reply. I thought as much myself... > Funny thing is I DID compile iptables-1.3.1 against the same kernel > source tree from which I compiled the kernel... No compilation errors. > I guess I''ll try compiling iptables again.That usually means that your new iptables was installed into /usr/local/sbin (the default) but your PATH has /sbin before /usr/local/sbin and you end up still running the old version. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Mario R. Pizzolanti wrote: > > >>Thanks for your speedy reply. I thought as much myself... >>Funny thing is I DID compile iptables-1.3.1 against the same kernel >>source tree from which I compiled the kernel... No compilation errors. >>I guess I''ll try compiling iptables again. > > > That usually means that your new iptables was installed into > /usr/local/sbin (the default) but your PATH has /sbin before > /usr/local/sbin and you end up still running the old version.That solved it. Thanks again. Funny how we seem to overlook the most obvious things...