Hi, I am trying to delete one of the PREROUTING rules. Here is what it looks like when I do iptables -t nat -L -n: DNAT tcp -- 0.0.0.0/0 65.213.121.200 to:192.168.1.130 I am using this command: iptables -t nat -D PREROUTING -i eth0 -p tcp -d 65.213.121.200 -j DNAT --to 192.168.1.130 I get an error Bad rule ... Could someone please help. It seems I tried every combination of the command above. It works if I manualy add this rule by replacing -D with -A and then delete it, but it does NOT work when I am trying to delete the rule created by shorewall. Val _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
Val Vechnyak wrote:> Hi, > > I am trying to delete one of the PREROUTING rules. Here is what it looks > like when I do iptables -t nat -L -n: > > DNAT tcp -- 0.0.0.0/0 65.213.121.200 to:192.168.1.130 > > I am using this command: > > iptables -t nat -D PREROUTING -i eth0 -p tcp -d 65.213.121.200 -j DNAT --to > 192.168.1.130 > > I get an error Bad rule ... > > Could someone please help. It seems I tried every combination of the command > above. > > It works if I manualy add this rule by replacing -D with -A and then delete > it, but it does NOT work when I am trying to delete the rule created by > shorewall.>From Reading The Fine Material available in ''man iptables'':iptables -D chain rulenum This means you need to delete a rule based on its rule number, not its contents. Rule numbers are integers starting from 1, so try ''ipchains -D nat 29'' or whatever number your rule is. Paul http://paulgear.webhop.net
On Wed, 8 May 2002, Val Vechnyak wrote:> Hi, > > I am trying to delete one of the PREROUTING rules. Here is what it looks > like when I do iptables -t nat -L -n: > > DNAT tcp -- 0.0.0.0/0 65.213.121.200 to:192.168.1.130 > > I am using this command: > > iptables -t nat -D PREROUTING -i eth0 -p tcp -d 65.213.121.200 -j DNAT --to > 192.168.1.130 > > I get an error Bad rule ... > > Could someone please help. It seems I tried every combination of the command > above.First of all, you need to use the "-v" option when listing the rule -- otherwise, iptables doesn''t give you all of the rule attributes. If the rule that you are trying to delete is a static NAT DNAT rule, then it doesn''t have any protocol included and your delete command would be: iptables -t nat -D PREROUTING -i eth0 -d 65.213.121.200 -j DNAT --to 192.168.1.130 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I am still not able to remove the rule. I dunno what am I doing wrong. This is a 13th rule out of 14 rules :). With -v this is what I see 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 65.213.121.200 to:192.168.1.130 I am using this command exactly like it is here: iptables -t nat -D PREROUTING -i eth0 -d 65.213.121.200 -j DNAT --to 192.168.1.130 And I get Bad Rule .... Anyone? Please Val>From: Tom Eastep <teastep@shorewall.net> >To: Val Vechnyak <vechnyak@hotmail.com> >CC: "shorewall-users@shorewall.net" <shorewall-users@shorewall.net> >Subject: Re: [Shorewall-users] Cannot delete a rule >Date: Wed, 8 May 2002 06:11:48 -0700 (PDT) > >On Wed, 8 May 2002, Val Vechnyak wrote: > > > Hi, > > > > I am trying to delete one of the PREROUTING rules. Here is what it >looks > > like when I do iptables -t nat -L -n: > > > > DNAT tcp -- 0.0.0.0/0 65.213.121.200 to:192.168.1.130 > > > > I am using this command: > > > > iptables -t nat -D PREROUTING -i eth0 -p tcp -d 65.213.121.200 -j DNAT >--to > > 192.168.1.130 > > > > I get an error Bad rule ... > > > > Could someone please help. It seems I tried every combination of the >command > > above. > >First of all, you need to use the "-v" option when listing the rule -- >otherwise, iptables doesn''t give you all of the rule attributes. > >If the rule that you are trying to delete is a static NAT DNAT rule, then >it doesn''t have any protocol included and your delete command would be: > >iptables -t nat -D PREROUTING -i eth0 -d 65.213.121.200 -j DNAT --to >192.168.1.130 > >-Tom_________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
On Wed, 8 May 2002, Val Vechnyak wrote:> I am still not able to remove the rule. I dunno what am I doing wrong. > This is a 13th rule out of 14 rules :). > > With -v this is what I see > 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 65.213.121.200 to:192.168.1.130 >I don''t know what in the world you''re doing now -- Shorewall didn''t create that rule.> > I am using this command exactly like it is here: > > iptables -t nat -D PREROUTING -i eth0 -d 65.213.121.200 -j DNAT --to > 192.168.1.130 > > And I get Bad Rule .... > > Anyone? Please >iptables -t nat -D PREROUTING -i eth0 -p tcp -d 65.213.121.200 -j DNAT --to 192.168.1.130 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Wed, 8 May 2002, Val Vechnyak wrote:> I am still not able to remove the rule. I dunno what am I doing wrong. > This is a 13th rule out of 14 rules :). > > With -v this is what I see > 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 65.213.121.200 to:192.168.1.130 > > > I am using this command exactly like it is here: > > iptables -t nat -D PREROUTING -i eth0 -d 65.213.121.200 -j DNAT --to > 192.168.1.130 > > And I get Bad Rule .... > > Anyone? Please >Wouldn''t all of this be easier if you just made an alternate Shorewall configuration with only a nat file and if the primary server stopped working, you just did a "shorewall -d <alternate config> restart"? Given your lack of knowledge of iptables, that sure seems safer. The only downside that I can see is that the switchover is a little more expensive that fiddling with individual nat rules. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Shorewall did create this rule. This is when you told me I dont need static NAT and I should use rules file. This rule is created by this line in the rules file. ACCEPT net loc:192.168.1.130 tcp - - 65.213.121.200 Of course, I dont know iptables very much, but I can read of the screen very good. And when I create this very same rule by hand (i.e. type it in from the command line) it looks exactly the same as the one created by shorewall. And when I delete (by replacing -A with -D) the rule which I created, it deletes it fine. What I cannot delete, is the rule created by shorewall. Val>From: Tom Eastep <teastep@shorewall.net> >To: Val Vechnyak <vechnyak@hotmail.com> >CC: "shorewall-users@shorewall.net" <shorewall-users@shorewall.net> >Subject: Re: [Shorewall-users] Cannot delete a rule >Date: Wed, 8 May 2002 09:41:10 -0700 (PDT) > >On Wed, 8 May 2002, Val Vechnyak wrote: > > > I am still not able to remove the rule. I dunno what am I doing wrong. > > This is a 13th rule out of 14 rules :). > > > > With -v this is what I see > > 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 65.213.121.200 >to:192.168.1.130 > > > >I don''t know what in the world you''re doing now -- Shorewall didn''t create >that rule. > > > > > I am using this command exactly like it is here: > > > > iptables -t nat -D PREROUTING -i eth0 -d 65.213.121.200 -j DNAT --to > > 192.168.1.130 > > > > And I get Bad Rule .... > > > > Anyone? Please > > > >iptables -t nat -D PREROUTING -i eth0 -p tcp -d 65.213.121.200 -j DNAT >--to 192.168.1.130 > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >AIM: tmeastep \ http://www.shorewall.net >ICQ: #60745924 \ teastep@shorewall.net >_________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
On Wed, 8 May 2002, Val Vechnyak wrote:> Shorewall did create this rule. This is when you told me I dont need static > NAT and I should use rules file. This rule is created by this line in the > rules file. > > ACCEPT net loc:192.168.1.130 tcp - - 65.213.121.200 >Yep -- I realized that after I sent the last message -- I''ve just never seen anyone forward ALL tcp ports before. If you''re going to do that, there is no point in having a firewall because the server at 192.168.1.130 is WIDE OPEN! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
You are right. Considering shorewall first looks at the rules file, I do have my internal system open. I guess I am back to static NAT again. But then if I use the nat file I cannot have single DNAT with multiple SNAT. Otherwise, In my required configuration, I dont know how to forward packets from external to local network AND to filter them at the same time. I guess no one flips rules on the fly to repoint to a different server. This seems like a simple failover solution. no? Val>From: Tom Eastep <teastep@shorewall.net> >To: Val Vechnyak <vechnyak@hotmail.com> >CC: "shorewall-users@shorewall.net" <shorewall-users@shorewall.net> >Subject: Re: [Shorewall-users] Cannot delete a rule >Date: Wed, 8 May 2002 10:46:29 -0700 (PDT) > > On Wed, 8 May 2002, Val Vechnyak wrote: > > > Shorewall did create this rule. This is when you told me I dont need >static > > NAT and I should use rules file. This rule is created by this line in >the > > rules file. > > > > ACCEPT net loc:192.168.1.130 tcp - - 65.213.121.200 > > > >Yep -- I realized that after I sent the last message -- I''ve just never >seen anyone forward ALL tcp ports before. If you''re going to do that, >there is no point in having a firewall because the server at 192.168.1.130 >is WIDE OPEN! > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >AIM: tmeastep \ http://www.shorewall.net >ICQ: #60745924 \ teastep@shorewall.net > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-users_________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
On Wed, 8 May 2002, Val Vechnyak wrote:> You are right. Considering shorewall first looks at the rules file, I do > have my internal system open. I guess I am back to static NAT again. But > then if I use the nat file I cannot have single DNAT with multiple SNAT. > Otherwise, In my required configuration, I dont know how to forward packets > from external to local network AND to filter them at the same time. I guess > no one flips rules on the fly to repoint to a different server. This seems > like a simple failover solution. no? >I gave you a simple failover solution in a previous post (alternate Shorewall configuration). You apparently don''t like that solution so you can either learn enough about iptables to do what you want using Shorewall or you can try to find another firewall that support this feature in some other way. I am not going to code up the failover script for you because then if I change the way Shorewall does port forwarding, NAT, or whatever in a future release then your script will break and you will want ME to fix it. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net