Shorewall users - Feb 2003 - Error in log file

I''m getting this in my logs:

Feb 22 12:45:37 firewall kernel: MARK: can only be called from
"mangle"
table, not "nat"

	Here''s my tcrules file:

#MARK           SOURCE          DEST            PROTO   P
1               eth0            192.168.1.0/24  all      
2               eth0            192.168.2.0/24  all      
3               eth0            192.168.3.0/24  all      
#                                                        
14              eth1            0.0.0.0/0       all      
11              eth1            64.216.105.0/25 all      
11              eth1            208.191.32.0/24 all      
12              eth1            192.168.2.0/24  all      
13              eth1            192.168.3.0/24  all      
#                                                        
23              eth2            0.0.0.0/0       all      
21              eth2            192.168.1.0/24  all      
22              eth2            192.168.3.0/24  all      
#                                                        
33              eth3            0.0.0.0/0       all      
31              eth3            192.168.1.0/24  all      
32              eth3            192.168.2.0/24  all      
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT 

	If the tcrules file isn''t what is needed, let me know and
I''ll get the
info to you.. This is shorewall 1.3.10 at least, not sure if I''ve
updated
it or not from when I installed Bering 1.0... That brings up another
question, is there some way to tell the version number if not installed
via rpm? If not, might I suggest a version file, or someway to find out
what it is.. 

--- 
Homer Parker                  /"\ ASCII Ribbon Campaign
                              \ / No HTML/RTF in email
http://www.homershut.net       x  No Word docs in email
telnet://bbs.homershut.net    / \ Respect for open standards

"Bill Gates reports on security progress made and the challenges
ahead."
-- Microsoft''s Homepage, on the day an SQL Server bug crippled large
   sections of the Internet.


 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030222/f08f9cad/attachment.bin

--On Saturday, February 22, 2003 12:49:14 PM -0600 Homer Parker 
<hparker@homershut.net> wrote:
> 	I''m getting this in my logs:
>
> Feb 22 12:45:37 firewall kernel: MARK: can only be called from
"mangle"
> table, not "nat"
>
> 	Here''s my tcrules file:
>
The output of "shorewall status" would be much more helpful (see 
http://www.shorewall.net/support.htm). Also, a trace of "shorewall
start"
would probably be useful (see http://www.shorewall.net/troubleshoot.htm).

This is shorewall 1.3.10 at least, not sure if I''ve
updated
> it or not from when I installed Bering 1.0... That brings up another
> question, is there some way to tell the version number if not installed
> via rpm? If not, might I suggest a version file, or someway to find out
> what it is..
a) /sbin/shorewall has had a version command for over a year now 
(introduced in 1.2.5).
b) ALL .lrp''s are required to have a .version file in /var/lib/lrpkg
and
the shorwall.lrp conforms to that requirement.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

--On Saturday, February 22, 2003 01:17:35 PM -0600 Homer Parker 
<hparker@homershut.net> wrote:
> 	Didn''t know that, thanks! So much stuff packed in this little
program ;)
> And, as I just found out, status has the version as well ;)
>
> ---- Begining of status ----
The offending command is in your own /etc/shorewall/start file.

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK
--set-mark 202

You undoubtedly copied that command from my Squid instructions which are 
also wrong; should be "-t mangle" rather than "-t nat".

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

On Sat, 22 Feb 2003 11:46:02 -0800 Tom Eastep <teastep@shorewall.net>
wrote....
> 
> 
> --On Saturday, February 22, 2003 01:17:35 PM -0600 Homer Parker 
> <hparker@homershut.net> wrote:
> 
> > 	Didn''t know that, thanks! So much stuff packed in this
little
> > 	program ;)
> > And, as I just found out, status has the version as well ;)
> >
> > ---- Begining of status ----
> 
> The offending command is in your own /etc/shorewall/start file.
> 
> iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK
> --set-mark 202
> 
> You undoubtedly copied that command from my Squid instructions which are
> 
> also wrong; should be "-t mangle" rather than "-t nat".
> 
	That cleared it up, thanks!

--- 
Homer Parker                  /"\ ASCII Ribbon Campaign
                              \ / No HTML/RTF in email
http://www.homershut.net       x  No Word docs in email
telnet://bbs.homershut.net    / \ Respect for open standards

"Bill Gates reports on security progress made and the challenges
ahead."
-- Microsoft''s Homepage, on the day an SQL Server bug crippled large
   sections of the Internet.


 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030222/d62c34cb/attachment.bin