Louie M.
2002-Aug-22 08:23 UTC
[Shorewall-users] Shorewall 1.3.6 + Slackware 8.1 + linux kernel 2.4.19
I can''t get NAT working when I upgraded from kernel 2.4.18 to 2.4.19 Everything worked prior to the kernel upgrade. Slackware comes with iptables 1.2.6a I ran the shorewall debug start and this looks like where it''s breaking... + run_iptables -t nat -N nat_out ++ echo -t nat -N nat_out ++ sed ''s/!/! /g'' + iptables -t nat -N nat_out + eval nat_out_nat_exists=Yes ++ nat_out_nat_exists=Yes + run_iptables -t nat -A nat_out -s 192.168.1.3 -j SNAT --to-source 216.31.155.67 ++ echo -t nat -A nat_out -s 192.168.1.3 -j SNAT --to-source 216.31.155.67 ++ sed ''s/!/! /g'' + iptables -t nat -A nat_out -s 192.168.1.3 -j SNAT --to-source 216.31.155.67 + ''['' Yes = Yes -o Yes = yes '']'' + run_iptables -t nat -A OUTPUT -d 216.31.155.67 -j DNAT --to-destination 192.168.1.3 ++ echo -t nat -A OUTPUT -d 216.31.155.67 -j DNAT --to-destination 192.168.1.3 ++ sed ''s/!/! /g'' + iptables -t nat -A OUTPUT -d 216.31.155.67 -j DNAT --to-destination 192.168.1.3 iptables: Invalid argument + ''['' -z '''' '']'' + stop_firewall + stopping=Yes + deletechain shorewall + qt iptables -L shorewall -n + iptables -L shorewall -n + run_user_exit stop Invalid argument? These are my config files.. interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0 216.31.155.96 noping,norfc1918,routestopped loc eth1 192.168.1.255 routestopped,noping #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE hosts #ZONE HOST(S) OPTIONS loc eth1:192.168.1.0/24 routestopped #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE masq #INTERFACE SUBNET ADDRESS eth0 192.168.1.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE nat #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 216.31.155.67 eth0 192.168.1.3 Yes Yes 216.31.155.68 eth0 192.168.1.4 Yes Yes 216.31.155.69 eth0 192.168.1.5 Yes Yes 216.31.155.70 eth0 192.168.1.6 Yes Yes 216.31.155.71 eth0 192.168.1.7 Yes Yes 216.31.155.72 eth0 192.168.1.8 Yes Yes 216.31.155.73 eth0 192.168.1.9 Yes Yes 216.31.155.74 eth0 192.168.1.10 Yes Yes 216.31.155.75 eth0 192.168.1.11 Yes Yes 216.31.155.76 eth0 192.168.1.12 Yes Yes 216.31.155.77 eth0 192.168.1.13 Yes Yes 216.31.155.78 eth0 192.168.1.14 Yes Yes 216.31.155.79 eth0 192.168.1.15 Yes Yes 216.31.155.80 eth0 192.168.1.16 Yes Yes 216.31.155.81 eth0 192.168.1.17 Yes Yes 216.31.155.82 eth0 192.168.1.18 Yes Yes 216.31.155.83 eth0 192.168.1.19 Yes Yes 216.31.155.84 eth0 192.168.1.20 Yes Yes 216.31.155.85 eth0 192.168.1.21 Yes Yes 216.31.155.86 eth0 192.168.1.22 Yes Yes 216.31.155.87 eth0 192.168.1.23 Yes Yes #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Basically I have T1 coming in through a router that''s at 216.31.155.65 and then through the firewall at 216.31.155.66 and back out to the LAN which is masquerading under 192.168.1.0/24 and then I NAT the public ip addresses (216.31.155.67-87) to the private ip addresses of machines that need to be seen from the outside. So anyone else have problems? Maybe I need to use a different version of iptables. ------------------------------------------------------------------------ Neural Nightmare "It''s like Kung-fu lesson for your brain" Head Mad Scientist http://www.cerebrallab.com/ neural@cerebrallab.com ------------------------------------------------------------------------ PGP Fingerprint 7F13 8F0D 8F29 C375 4C2B 4570 57D1 83E1 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 7.1.1 mQEPAz1Xk6EAAAEIAPYWXfanWQQHrD+PgrmhSNWOJY+vWRsSXUZzxVizeMne6mQF nvHx4O4lZJ5woRT28dLcsCIfvX7AJ39odA0AdFjiy3CfTmugHlzc7RK+TGdUqEUx 5cCEum15jiHZ/tS5hL7tubPi0vyP/fK9VOsx4AXUquMzj4pa8BmEw66Q9B/wuH/l DSvGvD8VSV2iYwnM59sAEaAyoxdjHLtXt5zk5A795pY2urrhQJJ70QHMOn+P1XnE QMh5Y7K7wrxqhLHDu6uFTNzq17U6xrnoylv/2KbYpIF42LWAQ7QU3uXzxB00OXn1 xZj+skq3SfdGpisEsb9gBOfW2a2oATi7QCkkw2kAEQEAAbQpTmV1cmFsIE5pZ2h0 bWFyZSA8bmV1cmFsQGNlcmVicmFsbGFiLmNvbT6JARUDBRA9V5OhATi7QCkkw2kB AZMAB/sGtN/EL0YpP05E1RLDexPTP9wSrVq0MxUJcrEBvvtpNOHry/I2i8FcZnLW Sb7MEfQXDxogc5JRqd+ikvkHKYhtrF8mgXBF16r7r1Ac6WAPmludXZaPY+7/H9K2 ygZz4QWaLZAiI629r/C4QAHGIeagmWUtpb8e1DF+kt6yIVlc/rJx7IT/JuTdL1iX QS8ngKRIOT//JheU9N7SU0eVIDgfCKkAAZTvgsxD549AiydGAFTmL6aQLIOAqalm 8kQ8vZkqLnUoXKyHb0XY6iapYrm+6UPqS+B+VlNcDoOUJF8oC0g1W9aK8zaiS1ST cl4HzIG9FxYsaAU/vxboQH+k40dC =yMAO -----END PGP PUBLIC KEY BLOCK-----
Tom Eastep
2002-Aug-22 13:42 UTC
[Shorewall-users] Shorewall 1.3.6 + Slackware 8.1 + linux kernel 2.4.19
On Thursday 22 August 2002 01:23 am, Louie M. wrote:> I can''t get NAT working when I upgraded from kernel 2.4.18 to 2.4.19 ><snip>> ++ echo -t nat -A OUTPUT -d 216.31.155.67 -j DNAT --to-destination > 192.168.1.3 ++ sed ''s/!/! /g'' > + iptables -t nat -A OUTPUT -d 216.31.155.67 -j DNAT --to-destination > 192.168.1.3 > iptables: Invalid argument > + ''['' -z '''' '']'' > + stop_firewall > + stopping=3DYes > + deletechain shorewall > + qt iptables -L shorewall -n > + iptables -L shorewall -n > + run_user_exit stop > > Invalid argument? ><snip>> > nat > #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL > 216.31.155.67 eth0 192.168.1.3 Yes Yes=20 > 216.31.155.68 eth0 192.168.1.4 Yes Yes =20Change the LOCAL column to "No" in all records -- your kernel doesn''t support=20 NAT in the output chain. Since that never worked in previous kernels, you=20 aren''t going to notice any difference. -Tom --=20 Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net